Malicious PDF — malware analysis report

Static analysis result for SHA-256 57349556489e608e…

MALICIOUS

PDF

39.6 KB Created: 2020-09-03 13:17:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9a20a785339f829a2b587983aa60ae10 SHA-1: f470aab2f7cd20e46b2519ee01c15e8dbb80b198 SHA-256: 57349556489e608e5c7f73c3322da0e6a36e7a10f3979f6cd4f04b18791dda78
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link and a link farm, indicating a phishing or scam attempt. The presence of a 'download button' heuristic further supports this, suggesting the document's intent is to trick the user into clicking the malicious link. The primary malicious URL is https://ttraff.me/wix?keyword=chicken+invaders+2++windows+8, which is used to redirect the user. A secondary URL, https://cdn.shopify.com/s/files/1/0440/9131/0232/files/69025137829.pdf, is part of the link farm.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=chicken+invaders+2++windows+8
    • https://cdn.shopify.com/s/files/1/0440/9131/0232/files/69025137829.pdf
    • https://cdn.shopify.com/s/files/1/0429/0795/9452/files/star_wars_a_solo_story.pdf
    • https://cdn.shopify.com/s/files/1/0435/0027/3830/files/panebidovozurolakirefawob.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/29331550606.pdf
    • https://cdn.shopify.com/s/files/1/0447/1137/9097/files/compare_and_contrast_neoclassicism_and_romanticism_literature.pdf
    • https://cdn.shopify.com/s/files/1/0434/0681/9477/files/dudofajidafewobo.pdf
    • https://cdn.shopify.com/s/files/1/0429/7857/4490/files/bawirodufufum.pdf
    • https://static.usrfiles.com/ugd/3ce946_b060e13b0038441b8966b9c67eea6928.pdf
    • https://static.usrfiles.com/ugd/4f270c_beac971e62e34af3afe9d3f09590e906.pdf
    • https://cdn.shopify.com/s/files/1/0431/3550/0439/files/microsoft_word_boat_bill_of_sale_template.pdf
    • https://cdn.shopify.com/s/files/1/0437/1477/3147/files/87618913934.pdf
    • https://cdn.shopify.com/s/files/1/0432/6329/5646/files/13863303466.pdf
    • https://cdn.shopify.com/s/files/1/0434/5203/9328/files/60403824141.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c53.bin
828075227cb6e779aab97f11d6298fc9518f08e2ad59fba9848a7b02e9cf1aa7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C53 5444 bytes
font_01_sfnt_off00006ee3.bin
4ece628e3979e297a4e0fb1483bfe18510a32ff0e427dec55541f411de70a0ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EE3 10296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.