Malicious PDF — malware analysis report

Static analysis result for SHA-256 78992deb7db74f74…

MALICIOUS

PDF

35.2 KB Created: 2020-08-31 23:43:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fe9766da927c856f86d16c39ff7657bf SHA-1: 647d3e1f6d3efcf4f78eff6a3172bf15cd877a8c SHA-256: 78992deb7db74f7468749f9b9b7477f486a9cf85a331a97a77ac05b1cb752d03
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with a critical heuristic firing indicating it is a PDF link farm. One of the primary links directs to a known malicious redirector service (ttraff.com), suggesting an attempt to lure users to a harmful site. The document body contains garbled text alongside URLs, further supporting the malicious intent of redirecting users.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=saho+audio+songs++naa+songs
    • https://cdn.shopify.com/s/files/1/0437/6743/1329/files/beauty_salon_flyers_templates_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/0076/6369/files/94094496082.pdf
    • https://cdn.shopify.com/s/files/1/0430/1019/5605/files/edgar_allan_poe_cuentos_de_misterio_e_imaginacion.pdf
    • https://cdn.shopify.com/s/files/1/0463/1691/2800/files/pozumididi.pdf
    • https://static.usrfiles.com/ugd/111c46_fb041ee5d7934b87bfb80db34ff54a08.pdf
    • https://static.usrfiles.com/ugd/538d67_a48b11d60322497faaa02727da0c8ba3.pdf
    • https://static.usrfiles.com/ugd/909b15_c666746b4a6e456886e33f2cff8c6d38.pdf
    • https://static.usrfiles.com/ugd/b8c837_35d7fe3975484e47b6969a38e5d887e6.pdf
    • https://static.usrfiles.com/ugd/3d0627_688356c2f3d9431786096b412f080f81.pdf
    • https://static.usrfiles.com/ugd/808d8c_fca73cd6ce4f4dc9906b3fa533c07ea4.pdf
    • https://static.usrfiles.com/ugd/ce0e6d_0a7a939ea19e47519b1501fbe53e0e6b.pdf
    • https://static.usrfiles.com/ugd/b8c837_f2569b161aa84c88860415f8f74c45e8.pdf
    • https://static.usrfiles.com/ugd/b8c837_6a002341c7854b5e9ed481ca12bec94e.pdf
    • https://static.usrfiles.com/ugd/4bdc6d_13bc75227e414e599d4c5e292db0971e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c76.bin
a564df68996ad1f31ceeae7c097a1a57940294305069d0984976bfc2c4902f39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C76 5060 bytes
font_01_sfnt_off00005da9.bin
b45d0e622f2740982c318f037f6d5c4f3a96420a67d9000f8c4cd7c5896af9bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DA9 10244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.