Malicious PDF — malware analysis report

Static analysis result for SHA-256 83c3a30234f36d01…

MALICIOUS

PDF

38.3 KB Created: 2020-08-17 17:28:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4da037603d7eeb024206ca0a3933c9a0 SHA-1: 4fd3f5e622293e7358027d433be0b57e02096936 SHA-256: 83c3a30234f36d014a912e28b6036047d1fc96442c8dff675399e274e0f4ac5f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many pointing to shopify.com domains, which is indicative of a link farm or SEO poisoning attempt. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.cc/pify?keyword=source+sans+pro++dafont'. The document body contains garbled text but also includes the redirector URL, suggesting the primary purpose is to direct users to malicious or deceptive content through these links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=source+sans+pro++dafont
    • http://files.lindsay-hamilton.com/uploads/1/3/1/4/131408899/visagemoram-dagogamawe-gumejosujejok.pdf
    • https://cdn.shopify.com/s/files/1/0433/6241/8846/files/45355441385.pdf
    • https://cdn.shopify.com/s/files/1/0432/0778/6657/files/68805915080.pdf
    • https://cdn.shopify.com/s/files/1/0431/3494/3388/files/famanodewitivi.pdf
    • https://cdn.shopify.com/s/files/1/0429/4259/5239/files/24805185579.pdf
    • https://cdn.shopify.com/s/files/1/0431/2032/8853/files/18096231407.pdf
    • https://cdn.shopify.com/s/files/1/0438/7766/2875/files/57255773500.pdf
    • https://cdn.shopify.com/s/files/1/0431/5067/2026/files/34375058467.pdf
    • https://cdn.shopify.com/s/files/1/0431/7154/5237/files/sefigafo.pdf
    • https://cdn.shopify.com/s/files/1/0437/0015/8629/files/important_current_affairs_of_september_2020.pdf
    • https://cdn.shopify.com/s/files/1/0430/3811/3955/files/fepojizo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000561f.bin
9f5a1f950525f0fe15b4befb58fbae1a6e9a4f855891254e2e2ebe89084e914b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x561F 5220 bytes
font_01_sfnt_off000067e3.bin
160831ba9090ec258bdca14cdd967acce873348f140ce9d7d3cbff4fbfb08e47		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67E3 11388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.