Malicious PDF — malware analysis report

Static analysis result for SHA-256 83fe855d0447eefe…

MALICIOUS

PDF

43.2 KB Created: 2020-08-30 10:57:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 820740ada05fe980d8a0c944eae06e04 SHA-1: 9ec722d0f8307448130a415cec3f25335c177eff SHA-256: 83fe855d0447eefed690afa10912460992ebe27fd2deafb1b5c98f6e6ca8cfca
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.me/wix?keyword=2006+hyundai+tucson+owners+manual+free'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on cdn.shopify.com. The document body text, though partially corrupted, contains the same search query, reinforcing the lure. The primary malicious IOC is the redirector URL, which is likely used to deliver a secondary payload.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=2006+hyundai+tucson+owners+manual+free
    • https://cdn.shopify.com/s/files/1/0433/0323/9835/files/58821857206.pdf
    • https://cdn.shopify.com/s/files/1/0436/0637/6611/files/autodesk_revit_tutorials.pdf
    • https://cdn.shopify.com/s/files/1/0432/3042/9352/files/miliza.pdf
    • https://cdn.shopify.com/s/files/1/0431/7803/3313/files/passive_form_to_be_past_participle.pdf
    • https://cdn.shopify.com/s/files/1/0435/6695/6707/files/the_staff_of_serapis.pdf
    • https://cdn.shopify.com/s/files/1/0432/6155/8944/files/zuwowol.pdf
    • https://cdn.shopify.com/s/files/1/0431/6902/2109/files/jovurewuperofosamirivug.pdf
    • https://cdn.shopify.com/s/files/1/0430/8838/0061/files/jixejapemojurifupu.pdf
    • https://static.usrfiles.com/ugd/eb4c03_9f5bd5008ea542d7af4606c9911ca888.pdf
    • https://static.usrfiles.com/ugd/45e30f_22a12a1373f4471b8a0ab8920fc480fe.pdf
    • https://static.usrfiles.com/ugd/b8c837_f7e045fa6027442aba0fa44c69704afa.pdf
    • https://static.usrfiles.com/ugd/f515ca_00ebef0dd4e94aaa9b62c87f166b1f45.pdf
    • https://static.usrfiles.com/ugd/b8c837_ed2ec2532ab9414db6307d41b171cbf8.pdf
    • https://static.usrfiles.com/ugd/b8c837_c05a9009fa644067b1e0193020c6a0eb.pdf
    • https://static.usrfiles.com/ugd/4cf28d_d1c0ae4aa2454ae6a51d57a98de7b04c.pdf
    • https://static.usrfiles.com/ugd/b4609a_9a1e9ad5437145488d21f686a87dc86f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000067a3.bin
3413383a2c8800598a52e7b0a9732f36580ccda3e139fb566dae40cc50cdd264		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67A3 5788 bytes
font_01_sfnt_off00007b30.bin
5609b1814954ba5153e1fc2133f869cba08668f0e24ae16a82c2469d7ee2ed72		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B30 10820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.