Malicious PDF — malware analysis report

Static analysis result for SHA-256 5281a6cdcaee3049…

MALICIOUS

PDF

46.5 KB Created: 2020-08-31 22:56:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4a89b2fbb75b7501d1e3c299a9f9e5b3 SHA-1: 415746a63d57f6c06bd9c2ec21a68affd9efa35d SHA-256: 5281a6cdcaee30490c5b0bd7133fe1b2fb7197b20fbc4a20c352502cdbfe600e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, a technique often used in SEO poisoning or to distribute malicious content. One of the embedded URLs, 'https://ttraff.com/wix?keyword=all+answered+prayers+in+the+bible', is flagged as a known malicious redirector. The document body itself is heavily obfuscated and contains the same URL, suggesting it's part of a lure to redirect users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=all+answered+prayers+in+the+bible
    • https://static.usrfiles.com/ugd/b8c837_1a36d9949354433ca8684a5763695c9d.pdf
    • https://static.usrfiles.com/ugd/4826f5_7c1de36307de4949a6fe89b05c88a35d.pdf
    • https://static.usrfiles.com/ugd/8cbfce_2cfc1422773b4d8589978bbc1590b1d5.pdf
    • https://static.usrfiles.com/ugd/e2c250_322addb18bd349f18a09c1082995ca84.pdf
    • https://static.usrfiles.com/ugd/d775a9_73be13cce063463890dcb9d2c6ab6fcc.pdf
    • https://static.usrfiles.com/ugd/ecec20_d373c61084aa4a7cba24f1089316c506.pdf
    • https://static.usrfiles.com/ugd/7d21c0_cfd376a13d064665835b995f57d6e7ba.pdf
    • https://static.usrfiles.com/ugd/9b5f63_4e3481d6e6f24a4bb2595faa45b9349d.pdf
    • https://static.usrfiles.com/ugd/2f3ac6_f59bcf19f26a4530ae3c072045174eaa.pdf
    • https://cdn.shopify.com/s/files/1/0431/8350/5562/files/rigiserikezazotix.pdf
    • https://cdn.shopify.com/s/files/1/0431/9353/2573/files/list_of_sound_absorbing_materials.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://static.usrfiles.com/ugd/9b5f63_4e34

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000776d.bin
2081ecf1192ab58a272d5c4d7b926aea7de45aad9769a6a3061e09fa02b116f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x776D 5372 bytes
font_01_sfnt_off000089b9.bin
657bfce56aff10dbf2009aa48ddd9707fe861e351bbac11f6aa96777749d8637		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89B9 10352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.