Malicious PDF — malware analysis report

Static analysis result for SHA-256 58b189ea44b73857…

MALICIOUS

PDF

35.5 KB Created: 2020-08-30 12:49:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d1b196d82f79f7f5bdd2ad8de8bbdfb9 SHA-1: d2a83ca2e74f7f22703c0438eab9a9da8239857d SHA-256: 58b189ea44b738579a85f2904fd9409c306635b7df570cf9bda2b25dac38349d
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a redirector service (ttraff.com) which is flagged as malicious. The document body, though heavily obfuscated, appears to contain the same URL and references a game ROM, suggesting a lure to trick users into visiting the malicious site. The presence of numerous other PDF links, many hosted on Shopify, indicates a link farm strategy, likely for SEO poisoning or distributing further malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=shovel+knight+3ds+rom+decrypted
    • https://cdn.shopify.com/s/files/1/0463/0455/9261/files/tinejakaruzedajirulikuxa.pdf
    • https://cdn.shopify.com/s/files/1/0427/7311/9143/files/samsung_software_updater_for_pc_free.pdf
    • https://cdn.shopify.com/s/files/1/0432/3550/8387/files/alsager_school_6th_form.pdf
    • https://static.usrfiles.com/ugd/99afdc_c3624e09650d419e99486921596cfb1e.pdf
    • https://static.usrfiles.com/ugd/b98abb_b9e712d6125140d3b60e8dd0444a00af.pdf
    • https://static.usrfiles.com/ugd/b8c837_189ad59eae1f4411ac9b7abda0c0600d.pdf
    • https://static.usrfiles.com/ugd/b8c837_3b0faf57070d4187bef536e0dec52e7e.pdf
    • https://static.usrfiles.com/ugd/1cc7e8_82ecf1b135b74cb18eb11f6c415d1ead.pdf
    • https://static.usrfiles.com/ugd/696b8a_91c1bafd9a0a4b86bd284e4a6a3da2f0.pdf
    • https://cdn.shopify.com/s/files/1/0436/1479/7981/files/qualis_capes_peridicos_2020.pdf
    • https://cdn.shopify.com/s/files/1/0435/9582/5314/files/46725061528.pdf
    • https://cdn.shopify.com/s/files/1/0435/4002/1407/files/vokapir.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004af8.bin
58554bda128df35bb902e47d6c8c8a325f64a7cc3917c9522454c98302900441		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AF8 5768 bytes
font_01_sfnt_off00005e81.bin
1f0b032cefbc9753076f6e631940dc91629bab1c45462a636af25bf7b6608bd6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E81 10160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.