Malicious PDF — malware analysis report

Static analysis result for SHA-256 7feb8e034ffafbec…

MALICIOUS

PDF

39.7 KB Created: 2020-08-20 04:59:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 48665e685d94e903c12d9eda6d71d99b SHA-1: 5a54a12c661771a815b7aa2553dc8478043da45e SHA-256: 7feb8e034ffafbec2456be124bda1819132a6066e68311401a8525d41120fa6f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com. One critical heuristic firing indicates a PDF redirector link to 'ttraff.com', which is known malicious infrastructure. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/pify?keyword=how+to+call+over+wifi+android', suggesting a lure to a malicious site. The presence of numerous links and the redirector strongly indicate a phishing or malicious redirection attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=how+to+call+over+wifi+android
    • http://files.joyfultreasureschildcare.com/uploads/1/3/1/6/131606186/33bd10ff469b.pdf
    • http://files.melisacadell.com/uploads/1/3/1/6/131606491/9ea5bb53.pdf
    • http://files.heathercorballybryant.com/uploads/1/3/2/8/132816066/5221430.pdf
    • https://cdn.shopify.com/s/files/1/0438/1048/8477/files/mixunul.pdf
    • https://cdn.shopify.com/s/files/1/0431/7180/7391/files/16469700147.pdf
    • https://cdn.shopify.com/s/files/1/0437/1097/2053/files/91161573794.pdf
    • https://cdn.shopify.com/s/files/1/0448/3776/5282/files/45076409882.pdf
    • https://cdn.shopify.com/s/files/1/0434/2703/7336/files/kewodutupotu.pdf
    • https://cdn.shopify.com/s/files/1/0448/5431/3122/files/mathematics_grade_6_curriculum_guide.pdf
    • https://cdn.shopify.com/s/files/1/0429/3066/7673/files/vejow.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/wojifuxazax.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/bagubiginapir.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/63529720688.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005eed.bin
a02d15de16b429bdb308c539daef62196d7ec3876fa089a045ac785c7de88d82		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EED 4952 bytes
font_01_sfnt_off00006fe6.bin
ca6d334f91ff19a1e59ce3cfa45b2a920efade77d91ca3cda0a6b96d4d814c77		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FE6 10024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.