Malicious PDF — malware analysis report

Static analysis result for SHA-256 53b7687895197a39…

MALICIOUS

PDF

41.0 KB Created: 2020-08-14 23:24:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 84461f548be4fc43bfa1077ea0a0c957 SHA-1: 54fa03c14723687c60e5c4988d43f856206a0b69 SHA-256: 53b7687895197a39bafe8aa9eae009653679ebef57ebe5f41959a6ceaa850a2a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to a known malicious URL. Additionally, PDF_SEO_LINK_FARM suggests a large number of external PDF links are present, likely to obscure the malicious intent. The embedded document body contains the malicious URL and several other PDF links, some of which are hosted on Shopify. The primary malicious URL is https://ttraff.cc/pify?keyword=alcazar+seville+audio+guide+worth+it, which likely serves as a redirector to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=alcazar+seville+audio+guide+worth+it
    • http://files.barnes1ststepft.com/uploads/1/3/2/6/132681891/zosowadugug.pdf
    • http://zironitel.maryburton.rehab/uploads/1/3/2/7/132710780/da25af3.pdf
    • https://cdn.shopify.com/s/files/1/0430/0079/1191/files/fasuxireridevexemor.pdf
    • https://cdn.shopify.com/s/files/1/0431/8884/6753/files/mobopavuride.pdf
    • https://cdn.shopify.com/s/files/1/0430/3273/9989/files/suferi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/9284441163.pdf?v=1594212706
    • https://cdn.shopify.com/s/files/1/0435/9330/2178/files/math_background_image.pdf
    • https://cdn.shopify.com/s/files/1/0434/1891/0870/files/92315406880.pdf
    • https://cdn.shopify.com/s/files/1/0431/2950/3901/files/brche_erklrung.pdf
    • https://cdn.shopify.com/s/files/1/0431/6351/7092/files/calendrio_futebol_2020_19.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/44994208471.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/32343356061.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000061d4.bin
ff82390eb033dfed50935ef5c057e810bd7f40be7dfb15d3df595c13d1c1b863		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61D4 5392 bytes
font_01_sfnt_off00007434.bin
384d5918fec5f892b41bbfc38f0206c74354f0428fd2f045db2cda2e5993c64d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7434 10616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.