Malicious PDF — malware analysis report

Static analysis result for SHA-256 53516b2dc7cea08f…

MALICIOUS

PDF

37.5 KB Created: 2020-08-24 05:00:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4f6604e2052cb6e03c3318903147589a SHA-1: a72084194edda6059a3700c534550e5eb488cc73 SHA-256: 53516b2dc7cea08fd2a1c500b71dc6fac83836bb645ed6e962417a54f664400e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/pify?keyword=ariens+lawn+tractor+repair+manual'. It also contains a PDF link farm heuristic, indicating a large number of external links, many hosted on cdn.shopify.com. The document body, though heavily corrupted, contains text related to 'Ariens lawn tractor repair manual' and the malicious URL, suggesting a lure to a malicious site disguised as a technical document.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=ariens+lawn+tractor+repair+manual
    • http://junawez.stjca.org/uploads/1/3/0/8/130874575/6074476.pdf
    • https://cdn.shopify.com/s/files/1/0430/5915/1009/files/biggest_city_in_mississippi.pdf
    • https://cdn.shopify.com/s/files/1/0433/0648/3876/files/system_analysis_and_design_notes_for_mba.pdf
    • https://cdn.shopify.com/s/files/1/0437/6811/9453/files/catering_menu_template_psd.pdf
    • https://cdn.shopify.com/s/files/1/0430/9565/4567/files/designing_websites_templates.pdf
    • https://cdn.shopify.com/s/files/1/0435/5594/6647/files/befawomuj.pdf
    • https://cdn.shopify.com/s/files/1/0427/8219/5879/files/89885371152.pdf
    • https://cdn.shopify.com/s/files/1/0429/7188/9815/files/29246362081.pdf
    • https://cdn.shopify.com/s/files/1/0432/6057/5908/files/80080816415.pdf
    • https://cdn.shopify.com/s/files/1/0431/1393/9110/files/safepoperavidosojitu.pdf
    • https://cdn.shopify.com/s/files/1/0432/1381/5966/files/56803670301.pdf
    • https://cdn.shopify.com/s/files/1/0428/3714/7811/files/42860266777.pdf
    • https://cdn.shopify.com/s/files/1/0434/4587/8941/files/27616961001.pdf
    • https://cdn.shopify.com/s/files/1/0432/2505/5389/files/44431847731.pdf
    • https://cdn.shopify.com/s/files/1/0431/5942/1092/files/luvodon.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000053a4.bin
d218155e7f3adbb57c82679edc61b11442c8492acbe302a1cf1794d684d4c670		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53A4 5160 bytes
font_01_sfnt_off00006520.bin
ceff239119bd66493c583fd9da0f572da2e06c165728bbe1239925158ac23012		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6520 10624 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.