Malicious PDF — malware analysis report

Static analysis result for SHA-256 80c0ad2d534c3279…

MALICIOUS

PDF

51.2 KB Created: 2020-08-07 03:27:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 85188dd79853cf6e75192de40b138b2b SHA-1: 52f8a2af1989db3878da4819a928f49dc72259c7 SHA-256: 80c0ad2d534c32794bcc778f5a341988b2b1bc4795098ed38d59dcd04aaba9f4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm and a critical redirector link pointing to ttraff.com, indicating a phishing or malicious redirection attempt. The document body, though heavily obfuscated, contains the same URL, reinforcing the malicious intent. No scripts were extracted, but the primary attack vector is the embedded malicious URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=china+s+belt+and+road+initiative+five+years+later+pdf
    • http://files.personalspaceproject.com/uploads/1/3/2/7/132740343/piwepapefa-kavijabojexopi-fuwuwumewa.pdf
    • http://files.jazzlegaspi.com/uploads/1/3/1/4/131452735/3307c7392784b.pdf
    • http://files.andriopoulos.org/uploads/1/3/1/4/131452935/995b2254b090.pdf
    • https://cdn.shopify.com/s/files/1/0434/4007/9005/files/37680526969.pdf
    • https://cdn.shopify.com/s/files/1/0431/9707/1524/files/xuvuwanulakagolu.pdf
    • https://cdn.shopify.com/s/files/1/0432/2351/5294/files/osnove_automatskog_upravljanja_knjiga.pdf
    • https://cdn.shopify.com/s/files/1/0428/5195/8947/files/tuzonexilamemivar.pdf
    • https://cdn.shopify.com/s/files/1/0430/7006/2754/files/66166766468.pdf
    • https://cdn.shopify.com/s/files/1/0428/3400/2086/files/nadegonerat.pdf
    • https://cdn.shopify.com/s/files/1/0433/0517/3147/files/wolf_gang_puck_food_processor.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/57032902602.pdf
    • https://cdn.shopify.com/s/files/1/0441/2702/7352/files/94406959342.pdf
    • https://cdn.shopify.com/s/files/1/0439/8622/3262/files/papizopuvonewamezinovefe.pdf
    • https://cdn.shopify.com/s/files/1/0432/8531/5737/files/97779523877.pdf
    • https://cdn.shopify.com/s/files/1/0432/0133/1360/files/gitivusawita.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000089e8.bin
1e76da04441ed2e1b62f22a623c1fe05c809ff9af8fdfbe953ee15403ed2d8a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89E8 5336 bytes
font_01_sfnt_off00009c0b.bin
eaf752f423860c889fa1cc4862984887f472d1fbcecab5af4a28b1901d18a179		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C0B 10564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.