Malicious PDF — malware analysis report

Static analysis result for SHA-256 7fe3e76aca83011e…

MALICIOUS

PDF

41.1 KB Created: 2020-08-17 02:42:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7b883d7e038c3f45779fa05479b48edb SHA-1: 047deff27a3fb8df9e44d16f1f1fb7d48eaf7952 SHA-256: 7fe3e76aca83011ecba51a75da5745e5e0a7eaca4f49b102e117dc2adef341e6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, suggesting a link farm or SEO manipulation tactic. One critical heuristic identified a link to a known malicious redirector infrastructure at 'https://ttraff.cc/pify?keyword=bitdefender+antivirus+plus+2017++free'. The document body, though heavily corrupted, contains fragments that appear to be related to software names and URLs, reinforcing the lure of a software download. The primary intent appears to be redirecting users to malicious sites, likely for phishing or malware delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bitdefender+antivirus+plus+2017++free
    • http://pazeji.davidcopher.com/uploads/1/3/1/3/131398489/458416.pdf
    • https://cdn.shopify.com/s/files/1/0430/6327/9767/files/wavuxavedojotaxaworimewe.pdf
    • https://cdn.shopify.com/s/files/1/0435/3359/8880/files/rimepejomesatovirile.pdf
    • https://cdn.shopify.com/s/files/1/0435/2281/8200/files/34557711675.pdf
    • https://cdn.shopify.com/s/files/1/0437/7329/6801/files/xelozafijizu.pdf
    • https://cdn.shopify.com/s/files/1/0433/5576/6942/files/noxudite.pdf
    • https://cdn.shopify.com/s/files/1/0433/8155/5350/files/el_almohadn_de_plumas_para_descargar.pdf
    • https://cdn.shopify.com/s/files/1/0431/6705/6028/files/74718730685.pdf
    • https://cdn.shopify.com/s/files/1/0440/4353/4486/files/2058518732.pdf
    • https://cdn.shopify.com/s/files/1/0429/8306/3715/files/accounting_and_finance_for_managers_for_mba.pdf
    • https://cdn.shopify.com/s/files/1/0429/0710/7495/files/annexure_d1_hssc.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000061eb.bin
26b301529bfdf35be433e68b25aabbf72e76c825687785425bab6d9c4a58edb0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61EB 5552 bytes
font_01_sfnt_off000074e5.bin
725cff662b07ba3225fc24f3092fc227fe59fbcf11a57914b8257c5c3152395e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74E5 10348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.