Malicious PDF — malware analysis report

Static analysis result for SHA-256 55d046df1c66a491…

MALICIOUS

PDF

42.1 KB Created: 2020-08-21 16:08:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64a218637ed631b1f62a1daf190b21ed SHA-1: 5f83d8f1cb711b8676b6df1bc13da1e75e1bda19 SHA-256: 55d046df1c66a49160f9f31d969cd16a94117a31c64cf08c1d79b6f236e64caa
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, many pointing to Shopify-hosted PDF files, which is indicative of a link farm. One of the primary links, 'https://ttraff.cc/pify?keyword=bellona+offset+form+yatak+yorum', is flagged as a malicious redirector. This suggests the document's purpose is to direct users to potentially harmful content or exploit kits through a chain of redirects and hosted files.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bellona+offset+form+yatak+yorum
    • http://files.style-x.net/uploads/1/3/1/4/131482886/fajedefiretegeluku.pdf
    • https://cdn.shopify.com/s/files/1/0431/2458/8701/files/zogebepolujud.pdf
    • https://cdn.shopify.com/s/files/1/0429/8558/6849/files/81404351355.pdf
    • https://cdn.shopify.com/s/files/1/0429/3191/2857/files/kugep.pdf
    • https://cdn.shopify.com/s/files/1/0429/7159/4911/files/rosumepunodapadewulubo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zorugeligix.pdf
    • https://cdn.shopify.com/s/files/1/0430/2353/2195/files/purine_alkaloids.pdf
    • https://cdn.shopify.com/s/files/1/0438/1474/8322/files/95607368406.pdf
    • https://cdn.shopify.com/s/files/1/0429/2031/2991/files/86549415503.pdf
    • https://cdn.shopify.com/s/files/1/0428/0962/2691/files/patuvawemanasum.pdf
    • https://cdn.shopify.com/s/files/1/0428/9137/8854/files/7764433019.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e25.bin
ad77fc12ba3459fe68979df550e25fa7fac1211d148d61a9b0cac5aeb95f0849		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E25 5128 bytes
font_01_sfnt_off00005f86.bin
713034cfe0871ce0db0b0be4e8bedb6ac0f75573a4a0dac1cdc6ba36fa0b3c34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F86 11808 bytes
font_02_sfnt_off000084d3.bin
6b08f8481c6c57ebf8f14ebfc3cac4dd00d3a39203628dd640d3b2d2ca935c04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84D3 16140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.