Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c8d24c3440f7a2a…

MALICIOUS

PDF

44.3 KB Created: 2020-08-30 05:09:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 83793b38ef5c678256a01acc9737fb15 SHA-1: a5a35a0a839942780a20a08608b8a59fe8a7f409 SHA-256: 4c8d24c3440f7a2a448f46766fe3634a1e620fa66d4398332b1f2086f550717f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on Shopify. One of the primary links, https://ttraff.com/wix?keyword=resumen+del+documental+los+piratas+de+silicon+valley, is flagged as a malicious redirector. The document body, though heavily obfuscated, contains this URL and other Shopify links, suggesting a social engineering attempt to drive traffic to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=resumen+del+documental+los+piratas+de+silicon+valley
    • https://cdn.shopify.com/s/files/1/0432/6254/1982/files/fumorajuwixi.pdf
    • https://cdn.shopify.com/s/files/1/0434/0501/7255/files/giwawup.pdf
    • https://cdn.shopify.com/s/files/1/0435/7973/6223/files/51011660199.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/44758106853.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/39738284996.pdf
    • https://cdn.shopify.com/s/files/1/0431/8865/0135/files/69690975751.pdf
    • https://cdn.shopify.com/s/files/1/0468/8681/3853/files/koxaputebilunuxadij.pdf
    • https://static.usrfiles.com/ugd/b8c837_1194370f7fe24c9aae7dbc812492f2fd.pdf
    • https://static.usrfiles.com/ugd/e2c250_5558ec2bc1dc4f4997c8c6ab10c4a425.pdf
    • https://static.usrfiles.com/ugd/760101_2f4f300dbbe74a7db9b972796bfeaa5b.pdf
    • https://static.usrfiles.com/ugd/67e251_6d2d18ee0c8f4148b3959a9710ab032f.pdf
    • https://static.usrfiles.com/ugd/b8c837_b5b202edd1044a25b199b1d41445b8c9.pdf
    • https://static.usrfiles.com/ugd/4d6844_bf4b507dab9e45b98b638407f7319835.pdf
    • https://static.usrfiles.com/ugd/286fb8_d70efde01f334314b748426629833def.pdf
    • https://static.usrfiles.com/ugd/67f5f7_4f7ac57c5310461d891f312e497e5197.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b5c.bin
872d61d2a1360cc3807db6eb2f390f8a38747585bc463b57540af58ff4bf9bed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B5C 5388 bytes
font_01_sfnt_off00007da7.bin
a68b893b95f0c4912573e47a613d75b19cc7fd3a05eb8d9421f84b29dc62f957		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DA7 11152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.