Malicious PDF — malware analysis report

Static analysis result for SHA-256 501f6965545c2512…

MALICIOUS

PDF

40.6 KB Created: 2020-08-13 22:31:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f4e6d179d51d2e8b7118b0f52b1ceca SHA-1: fa163f1ca81793f2d99ee74468dc439b92910d1c SHA-256: 501f6965545c2512ce4d7700a7fd4515605fd7f7077ad990fb9bdf96b7fcdb82
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs. One critical heuristic identified a link to a known malicious redirector at 'ttraff.com'. The document body, though heavily obfuscated, contains the same redirector URL and a reference to 'piano sheet music', suggesting a lure to entice users to click the malicious link. The primary attack pattern involves redirecting users to potentially harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=faithless+drifting+away+piano+sheet+music
    • http://files.columbuscountydisasterresponse.org/uploads/1/3/0/7/130776619/1e57710ffa97b9e.pdf
    • http://files.theartswithpassion.com/uploads/1/3/0/9/130969153/niropokoj.pdf
    • http://pudok.piano4t.net/uploads/1/3/1/3/131379061/jilexaz.pdf
    • https://cdn.shopify.com/s/files/1/0438/3349/1606/files/bankersadda_quant_quiz.pdf
    • https://cdn.shopify.com/s/files/1/0448/2465/8082/files/75726224209.pdf
    • https://cdn.shopify.com/s/files/1/0428/2748/1255/files/rinoxetuda.pdf
    • https://cdn.shopify.com/s/files/1/0435/7645/9422/files/16201333728.pdf
    • https://cdn.shopify.com/s/files/1/0432/9065/6921/files/fepivagojelikefotate.pdf
    • https://cdn.shopify.com/s/files/1/0428/9619/5737/files/18976387927.pdf
    • https://cdn.shopify.com/s/files/1/0433/4357/7256/files/84391917846.pdf
    • https://cdn.shopify.com/s/files/1/0430/8838/0061/files/19441202673.pdf
    • https://cdn.shopify.com/s/files/1/0431/6318/9405/files/xampp_mysql_default_password.pdf
    • https://cdn.shopify.com/s/files/1/0435/4372/4186/files/jifivuvagegipaxi.pdf
    • https://cdn.shopify.com/s/files/1/0433/4436/3678/files/buvutejutowefumarifosoxi.pdf
    • https://cdn.shopify.com/s/files/1/0434/8788/7526/files/16877306472.pdf
    • https://cdn.shopify.com/s/files/1/0438/8506/8456/files/14692634978.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005168.bin
7f2da8d67b9af7a1b66e05b4d233c14fac03ec2d61ec2ffe14f42857e1f52bb2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5168 5716 bytes
font_01_sfnt_off000064bd.bin
54bad1abdab19e707bee1f405b0186c99b3e29423a183324849a9a47abfa693c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64BD 15016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.