Malicious PDF — malware analysis report

Static analysis result for SHA-256 59fbbad71f7c5626…

MALICIOUS

PDF

102.1 KB Created: 2020-08-08 00:31:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5ca7cf959232485e198e8e5a15257678 SHA-1: 6679ff98639d7ba14d395cd91c440551af3a3444 SHA-256: 59fbbad71f7c5626a25617ac3776beba838a1681b3ce48db0c3713a9e5a3279e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic identifying a link to a known malicious redirector (ttraff.cc). The document body, though heavily obfuscated, contains text related to Buddhism and the URL itself, suggesting a lure. The presence of a large number of external PDF links, many hosted on Shopify, indicates a link farm strategy, likely to improve SEO for malicious content or to obscure the final destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=tout+sur+le+bouddhisme+pdf
    • http://files.stephaniemorianner.com/uploads/1/3/2/3/132303359/9494177.pdf
    • http://files.epicrobotics.co.uk/uploads/1/3/1/4/131437919/fubikufukazalum_supesadibapi_dopofuzu.pdf
    • http://files.tierradelcielofarm.com/uploads/1/3/1/8/131872079/14e18b36185.pdf
    • https://cdn.shopify.com/s/files/1/0430/7727/1713/files/zobajijedazonalexurotag.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/94448736580.pdf
    • https://cdn.shopify.com/s/files/1/0440/2590/5317/files/queen_bohemian_rhapsody_partitura.pdf
    • https://cdn.shopify.com/s/files/1/0433/3033/8966/files/28_days_later_theme_song.pdf
    • https://cdn.shopify.com/s/files/1/0428/8105/6935/files/gaxajeni.pdf
    • https://cdn.shopify.com/s/files/1/0429/2696/4895/files/functional_cv_example.pdf
    • https://cdn.shopify.com/s/files/1/0434/1828/8285/files/7754963454.pdf
    • https://cdn.shopify.com/s/files/1/0432/8800/2710/files/94697305809.pdf
    • https://cdn.shopify.com/s/files/1/0437/1926/2357/files/el_aprendizaje_visual.pdf
    • https://cdn.shopify.com/s/files/1/0438/1478/1085/files/damusafapulebiz.pdf
    • https://cdn.shopify.com/s/files/1/0435/9300/7272/files/gokujebanenig.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/70745323757.pdf
    • https://cdn.shopify.com/s/files/1/0437/3417/1813/files/download_tomb_of_annihilation.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000150b1.bin
68e22b2aa894c35c9640cfaa813c2aed25c3c1ca13e8edf6c0132f5d4203e0cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x150B1 5160 bytes
font_01_sfnt_off00016209.bin
92b86ec37af30c502209338cb050385121a76c51d75e6e88f10ca493246f5f8e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16209 12708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.