Malicious PDF — malware analysis report

Static analysis result for SHA-256 83ea16cee48ba12a…

MALICIOUS

PDF

39.8 KB Created: 2020-08-30 12:21:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 59b313a1559de5efc09dc6963b4142e9 SHA-1: 74348c9175158b94944c7fc2901e43080d9ed8c1 SHA-256: 83ea16cee48ba12a86e4d3bc4b80ab3e117509226beda6d9a4560c18bbc09b22
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, a technique often used to create link farms for SEO manipulation or to hide malicious URLs. One of the extracted URLs, 'https://ttraff.cc/wix?keyword=d-+link+dap-+1320', is flagged as a known malicious redirector. The document body itself is heavily obfuscated and contains metadata indicating it was generated by wkhtmltopdf, suggesting it's not a typical user-facing document but rather a container for links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=d-+link+dap-+1320
    • https://cdn.shopify.com/s/files/1/0429/7208/6435/files/expanded_notation_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0441/2994/3704/files/microsoft_certification_paths.pdf
    • https://cdn.shopify.com/s/files/1/0438/7468/0987/files/48286912998.pdf
    • https://cdn.shopify.com/s/files/1/0432/3731/0632/files/14178614608.pdf
    • https://static.usrfiles.com/ugd/ae15ca_42cc6d75642047c29874be892dc51417.pdf
    • https://static.usrfiles.com/ugd/b8c837_c63e815e773a4c7ea93a1fa3253f668e.pdf
    • https://static.usrfiles.com/ugd/b8c837_5b38c6e2aa7846ceaa1715db355501a9.pdf
    • https://cdn.shopify.com/s/files/1/0432/5159/7480/files/16063754274.pdf
    • https://cdn.shopify.com/s/files/1/0463/3024/9377/files/wudar.pdf
    • https://cdn.shopify.com/s/files/1/0434/3493/4429/files/51588445660.pdf
    • https://cdn.shopify.com/s/files/1/0432/5959/2859/files/2016_gmc_acadia_driver_information_center.pdf
    • https://cdn.shopify.com/s/files/1/0433/8447/1710/files/27623737303.pdf
    • https://cdn.shopify.com/s/files/1/0434/5679/0678/files/agni_natchathiram_songs_masstamilan.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c56.bin
aec5e8907b31caa86503e08897a3ac6350fe2e09991d4ac8d0c336d13973ce0f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C56 5264 bytes
font_01_sfnt_off00006e5d.bin
44a3c40cb23e36a6d3997c6ef2198c2af70ea2193975e5d3964927a01b82aed9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E5D 10652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.