Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f7ae66ce3c9ba17…

MALICIOUS

PDF

52.6 KB Created: 2020-08-31 11:01:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 913793f3b91d8fbc0a1354af20ec900d SHA-1: 635b8d88fd677b1b053836a0017e62d0615904bd SHA-256: 4f7ae66ce3c9ba179240bfa0e82be4412af733de9581ef4a380f18de4e0535c7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to the presence of a large number of embedded links, a technique often used in link farms to manipulate search engine results or redirect users to malicious sites. One of the primary URLs, 'https://ttraff.cc/wix?keyword=fuentes+de+campo+magnetico', is flagged as a known malicious redirector. The document body contains garbled text and a reference to the malicious URL, further supporting the malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=fuentes+de+campo+magnetico
    • https://static.usrfiles.com/ugd/362633_c8f97e3dff2c4e7ca83fe2ad9064c1a3.pdf
    • https://static.usrfiles.com/ugd/ab059d_b7ef02e8ef784b14a3062ade6893ada7.pdf
    • https://static.usrfiles.com/ugd/1ee69b_7763cb865142476592ce649640225555.pdf
    • https://static.usrfiles.com/ugd/b8c837_dea0e0c5fb644b17acdc26d373103ee2.pdf
    • https://cdn.shopify.com/s/files/1/0432/3724/5085/files/performance_appraisal_methods_in_hrm.pdf
    • https://cdn.shopify.com/s/files/1/0433/8758/4661/files/cuantas_veces_se_debe_cruzar_un_perr.pdf
    • https://cdn.shopify.com/s/files/1/0430/8100/7255/files/25831293589.pdf
    • https://cdn.shopify.com/s/files/1/0429/0537/0791/files/55861789912.pdf
    • https://cdn.shopify.com/s/files/1/0435/3087/9136/files/zombie_catchers_hack_mod_app.pdf
    • https://cdn.shopify.com/s/files/1/0434/2956/0481/files/chennai_express_full_movie_mp4_480p.pdf
    • https://static.usrfiles.com/ugd/b8c837_85a02cd4e13f44c7a75ca7189ebe6650.pdf
    • https://static.usrfiles.com/ugd/b8c837_8c8a9f9fdaf245c5bb33594a03a051e2.pdf
    • https://static.usrfiles.com/ugd/895bef_a696653c47d34257afdc37e6be6c79b4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008dcb.bin
e0a706b8dbcadcec97fcf44907e976f21d6c55f814bf576ef9ce683ae5ed9ba2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DCB 5220 bytes
font_01_sfnt_off00009f81.bin
b81daa91082b35bf0274a4e0446ebe8291db252182031d982549607722602604		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9F81 11228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.