Malicious PDF — malware analysis report

Static analysis result for SHA-256 518dfcff688677c7…

MALICIOUS

PDF

35.1 KB Created: 2020-08-22 21:09:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8de131a7175c8c4a62919f8e47aeaf5c SHA-1: 29d620490a153c8589a0104be285075f56e8adf0 SHA-256: 518dfcff688677c789a9c0f5c2f33b6c093687851b640aa9ea64855625fdb1eb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-in

The PDF file contains a significant number of embedded links, with one heuristic identifying it as a PDF link farm. The primary malicious link, https://ttraff.cc/pify?keyword=shambo+shankara+2018+movie, is flagged as a malicious redirector. The document body itself is heavily obfuscated and contains metadata suggesting it was generated by wkhtmltopdf, a tool sometimes used to create SEO spam or redirector pages.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=shambo+shankara+2018+movie
    • http://xijenep.500greatweddingideas.com/uploads/1/3/2/6/132695569/5590863.pdf
    • http://gixifuxo.allaynewebster.com/uploads/1/3/0/8/130874043/tadopa_vijovusip.pdf
    • https://cdn.shopify.com/s/files/1/0445/2705/9103/files/49166541407.pdf
    • https://cdn.shopify.com/s/files/1/0438/9833/9496/files/32337911726.pdf
    • https://cdn.shopify.com/s/files/1/0434/7917/1222/files/pitaxawefumu.pdf
    • https://cdn.shopify.com/s/files/1/0432/3917/8399/files/52731271756.pdf
    • https://cdn.shopify.com/s/files/1/0435/6849/6798/files/beginner_disney_piano_sheet_music_free.pdf
    • https://cdn.shopify.com/s/files/1/0435/0876/0735/files/kurusimezaz.pdf
    • https://cdn.shopify.com/s/files/1/0432/8770/7806/files/pewimilu.pdf
    • https://cdn.shopify.com/s/files/1/0427/5198/3783/files/luvanadujud.pdf
    • https://cdn.shopify.com/s/files/1/0435/2868/3674/files/78913200695.pdf
    • https://cdn.shopify.com/s/files/1/0437/1234/8315/files/blender_3d_animation_tutorials.pdf
    • https://cdn.shopify.com/s/files/1/0430/4456/9242/files/pojoxoki.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/21154843933.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a2c.bin
14b405ccfbe384f4e2f86ac9d1a603da84ea5566d58314c60edbbda2d6111935		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A2C 5780 bytes
font_01_sfnt_off00005db9.bin
820f091c7ba0945c452ec365d0b1a3373e1c8790dc8c8592edc05be105831079		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DB9 9952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.