Malicious PDF — malware analysis report

Static analysis result for SHA-256 84fde526ef6c1dbe…

MALICIOUS

PDF

47.2 KB Created: 2020-08-31 04:07:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4988f3de1e6731332049c4b2ede57824 SHA-1: c6ac7afc537d49d9543dae5439a1c08dfb856f70 SHA-256: 84fde526ef6c1dbeeeb6c487f264e2abb579bc195bed62c1574ae192ad33b9d1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, suggesting a link farm for SEO manipulation. One critical heuristic identified a direct link to a known malicious redirector, ttraff.cc, which is disguised as a search result for a calculator program. This indicates a social engineering attempt to drive traffic to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=casio+fx-+9750gii+quadratic+formula+program
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/loxidunadubufurepetiverox.pdf
    • https://cdn.shopify.com/s/files/1/0428/0179/1132/files/assumptions_of_cardinal_utility_approach.pdf
    • https://cdn.shopify.com/s/files/1/0430/8202/3073/files/schizophrenia_nursing_diagnosis.pdf
    • https://cdn.shopify.com/s/files/1/0440/7286/1848/files/audition_manual_patch_2018.pdf
    • https://cdn.shopify.com/s/files/1/0435/7645/9422/files/28108998456.pdf
    • https://cdn.shopify.com/s/files/1/0437/8601/0776/files/semicolon_in_python.pdf
    • https://cdn.shopify.com/s/files/1/0433/2286/7880/files/57777098448.pdf
    • https://cdn.shopify.com/s/files/1/0428/7240/6179/files/fort_collins_weather_radar.pdf
    • https://cdn.shopify.com/s/files/1/0427/9920/2467/files/gubuwexit.pdf
    • https://cdn.shopify.com/s/files/1/0431/0145/4500/files/hotel_company_profile_example.pdf
    • https://cdn.shopify.com/s/files/1/0430/6763/7917/files/povunofu.pdf
    • https://cdn.shopify.com/s/files/1/0440/6083/6005/files/vebatupelasa.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/dewefezagabujam.pdf
    • https://static.usrfiles.com/ugd/95089d_ca375236dfa64a479dfd4c1488472075.pdf
    • https://static.usrfiles.com/ugd/8b49c6_52d0d2e83c5e4f7e860596593703bc9d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006248.bin
443c76e93acf1940552acd540656d30457145528d7d8f2a5a35e6a4f7d2a1f6b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6248 6108 bytes
font_01_sfnt_off000076f9.bin
2cbbaa227f1a8cd720b5eaf81ebb1c9b7b9afea3f17e638e87bdc8a4cd63b8b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76F9 10344 bytes
font_02_sfnt_off00009a5a.bin
f7c78c3597ff466a81fe6a5a03ea75aef85e7df80762409819dda4d8f9df7115		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A5A 16120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.