Malicious PDF — malware analysis report

Static analysis result for SHA-256 506bab9c561b47a8…

MALICIOUS

PDF

42.3 KB Created: 2020-08-09 17:55:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6de0fd89b431c30ef29ee7c4679c0ddd SHA-1: 8c2678623a804bf23e56470017955c5f68c5637b SHA-256: 506bab9c561b47a800fbd48323e30ba887b0bb34ff764174b43805cf097d6542
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a redirector service (ttraff.com) and appear to be part of a link farm designed to manipulate search engine results. The document body, though heavily obfuscated, contains the URL that triggered the redirector heuristic. The presence of numerous links suggests an attempt to drive traffic to malicious or compromised sites, likely for phishing or malware distribution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=mathematics+content+methods+meaning+pdf
    • http://files.ecobotsupport.com/uploads/1/3/1/8/131871692/d3f736.pdf
    • http://files.abxs.org/uploads/1/3/0/7/130776150/nomat_piwunod_voniboxero_manej.pdf
    • http://gukujob.harkback.org/uploads/1/3/1/3/131378776/xezinalu.pdf
    • http://files.rhssoftball.us/uploads/1/3/2/8/132815807/nuferisenir.pdf
    • http://files.longviewpaws.org/uploads/1/3/2/6/132681219/xiduwitub_ledota_vivupelu_jivek.pdf
    • https://cdn.shopify.com/s/files/1/0434/0698/3318/files/brew_install_python_3._5.pdf
    • https://cdn.shopify.com/s/files/1/0430/1871/5289/files/99724009127.pdf
    • https://cdn.shopify.com/s/files/1/0441/2456/9752/files/21406251403.pdf
    • https://cdn.shopify.com/s/files/1/0431/1754/3588/files/bifififibelozaxu.pdf
    • https://cdn.shopify.com/s/files/1/0432/2246/6727/files/anti_aromatic_compounds.pdf
    • https://cdn.shopify.com/s/files/1/0432/5857/7046/files/86181681004.pdf
    • https://cdn.shopify.com/s/files/1/0427/8062/3015/files/zekusepi.pdf
    • https://cdn.shopify.com/s/files/1/0431/5296/5789/files/sugujufev.pdf
    • https://cdn.shopify.com/s/files/1/0430/1619/2153/files/numovuzaraxavefakadip.pdf
    • https://cdn.shopify.com/s/files/1/0437/2732/3301/files/fetexewifebarapag.pdf
    • https://cdn.shopify.com/s/files/1/0429/7100/5082/files/kusefotuxalenerememo.pdf
    • https://cdn.shopify.com/s/files/1/0434/8251/3561/files/zagabepikovem.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006787.bin
6c4f67691704a3bd09a27a395ed47ad7f972ba06e9193b52c5b57ae861cac93e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6787 5444 bytes
font_01_sfnt_off000079ff.bin
1aec21c6f37b2a65c36c51d409c3560b7a005849fda82f9ab81cd8f5c48ad9e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79FF 9944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.