Malicious PDF — malware analysis report

Static analysis result for SHA-256 59416949340a112a…

MALICIOUS

PDF

34.4 KB Created: 2020-09-08 02:17:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 727ce43a5ab4a710dc797f5122d2dff8 SHA-1: 224100ebe57727e7f373e94a51487f41eb2bbdf9 SHA-256: 59416949340a112a6f362f8797db1ec3a30854dbed2ee72c7a391955f3d516de
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'Endless night lion king sheet music pdf', suggesting a lure to disguise the malicious intent. The primary malicious URL is ttraff.me, which redirects to other content. The presence of multiple Shopify links indicates a link farm strategy, likely to obscure the final destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=endless+night+lion+king+sheet+music+pdf
    • https://cdn.shopify.com/s/files/1/0429/0389/6217/files/kuwamukizasiwulanisor.pdf
    • https://cdn.shopify.com/s/files/1/0440/7269/8006/files/jquery_ajax_data_format.pdf
    • https://cdn.shopify.com/s/files/1/0434/2464/5272/files/81053224241.pdf
    • https://cdn.shopify.com/s/files/1/0429/1634/8057/files/rasidivorivuritos.pdf
    • https://cdn.shopify.com/s/files/1/0433/3309/1480/files/67697025262.pdf
    • https://cdn.shopify.com/s/files/1/0436/4373/2126/files/83521372155.pdf
    • https://cdn.shopify.com/s/files/1/0459/7710/8647/files/zetafadizopelu.pdf
    • https://cdn.shopify.com/s/files/1/0428/3367/4396/files/golazabenofumirifug.pdf
    • https://cdn.shopify.com/s/files/1/0431/7426/4993/files/yamaha_cx-_a5100_manuale.pdf
    • https://cdn.shopify.com/s/files/1/0431/8976/4245/files/23653296662.pdf
    • https://cdn.shopify.com/s/files/1/0427/8406/3654/files/wamepamidosode.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004785.bin
4793ad592518671492039365c525ba39c7d9bf71f514a712d99a7aa967f09cfb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4785 5284 bytes
font_01_sfnt_off00005967.bin
f68285933a0322199d983d64c19d8dd1ab863662b484f31aea49f1a260ecbe15		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5967 10336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.