Malicious PDF — malware analysis report

Static analysis result for SHA-256 4cc88bb263d8a6ad…

MALICIOUS

PDF

35.9 KB Created: 2020-08-30 22:25:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 10ce7beb22b740ea247de9e341e119f5 SHA-1: 4b4ecc3f6f816e8935aa11ef667f65b3c218c534 SHA-256: 4cc88bb263d8a6adb39a7f230eefb8d90154e282f13c4d07086059dc01a9eec7
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with 26 links pointing to various PDFs hosted on Shopify. One of these links, 'https://ttraff.com/wix?keyword=outback+river+guide+hat', is identified as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting the primary intent is to lure users to malicious infrastructure via these links. The presence of urgency language further supports a phishing or scamming attempt.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=outback+river+guide+hat
    • https://cdn.shopify.com/s/files/1/0447/4057/5386/files/division_worksheets_grade_3_with_pictures.pdf
    • https://cdn.shopify.com/s/files/1/0437/4953/9989/files/forman_christian_college_hostel_charges.pdf
    • https://cdn.shopify.com/s/files/1/0433/6805/4940/files/teas_v_study_manual_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/1945/2063/files/blendr_dating_app_apk.pdf
    • https://cdn.shopify.com/s/files/1/0435/4329/8207/files/antimicoticos_mecanismo_de_accion.pdf
    • https://cdn.shopify.com/s/files/1/0435/6921/7699/files/abq_police_department_police_reports.pdf
    • https://cdn.shopify.com/s/files/1/0431/8468/5220/files/idsa_guidelines_acute_bacterial_rhinosinusitis.pdf
    • https://cdn.shopify.com/s/files/1/0431/6558/1468/files/az-_101_study_guide.pdf
    • https://cdn.shopify.com/s/files/1/0430/9932/4580/files/41913819449.pdf
    • https://cdn.shopify.com/s/files/1/0432/9462/1862/files/noripupopo.pdf
    • https://cdn.shopify.com/s/files/1/0440/6686/5302/files/55159213193.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xakikalimakimoxe.pdf
    • https://cdn.shopify.com/s/files/1/0434/6370/4729/files/string_reverse_java.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000050bd.bin
c67fa1f31f9070deb90382cddf190abbb96bec5420089f314f0c8c32670939d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x50BD 5280 bytes
font_01_sfnt_off000062ac.bin
7214085e1072b96c1c40c3a83a3f7cf8cb20fd43a31b65530c95ba9c4fb67b0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62AC 9456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.