Malicious PDF — malware analysis report

Static analysis result for SHA-256 84f984e95f1c5b98…

MALICIOUS

PDF

42.7 KB Created: 2020-08-27 16:05:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 94a42b7eba75e8861361a56d34a4c6e4 SHA-1: 7f9ae47b67d16509d4b5e2e844e9e666fc8eccc3 SHA-256: 84f984e95f1c5b98f3cb4330231f7d6970fa66cd197e12031d15d1c0279f8c83
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, a technique often used to create link farms for SEO manipulation or to distribute malicious content. One of the primary links, 'https://ttraff.club/pify?keyword=twin+saga+discord', is flagged as a known malicious redirector. The document body, though heavily obfuscated, also contains this URL, reinforcing its role in the attack. The presence of numerous external PDF links, many hosted on Shopify, suggests an attempt to obscure the ultimate destination or to leverage seemingly benign platforms for distribution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=twin+saga+discord
    • http://winobofa.moabgear.com/uploads/1/3/1/6/131606289/3a077872.pdf
    • http://files.christchurchjax.net/uploads/1/3/1/8/131871787/4813886.pdf
    • http://files.kovametalli-in.com/uploads/1/3/2/7/132741535/sudufakopo.pdf
    • http://files.brrclub.com/uploads/1/3/0/7/130740211/cbe8aaa965.pdf
    • https://cdn.shopify.com/s/files/1/0430/1455/3763/files/potupifeninozofigami.pdf
    • https://cdn.shopify.com/s/files/1/0437/8011/2535/files/assetto_corsa_honda_s2000_mod.pdf
    • https://cdn.shopify.com/s/files/1/0430/7353/6149/files/aadhar_card_form_in_english.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/94662163826.pdf
    • https://cdn.shopify.com/s/files/1/0435/0499/2421/files/90537366479.pdf
    • https://cdn.shopify.com/s/files/1/0431/1410/2941/files/80576112322.pdf
    • https://cdn.shopify.com/s/files/1/0427/9602/3975/files/53219477670.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000054da.bin
db64a4691a761e65542288d07dfa48ea9a963adb995d2426cc5bdd736a69c6e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54DA 3184 bytes
font_01_sfnt_off00006030.bin
812ff1420de71027e7134bb5d1059b50288ecc98988ccb66d2069a0b045fcb6f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6030 5116 bytes
font_02_sfnt_off000071a2.bin
9fcfd2b2c12c9d480c0beec3ee39f05b9e518edc5177a7a5fcc68dff0371f8a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71A2 2092 bytes
font_03_sfnt_off00007b43.bin
4a83a00d444b9b071e623e9e65787cf98cdccb57c7ae15e02880e696cccaad44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B43 10060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.