Malicious PDF — malware analysis report

Static analysis result for SHA-256 881aded5a32ff386…

MALICIOUS

PDF

37.2 KB Created: 2020-08-22 10:41:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9742a40e44086652d0ffd9af35995471 SHA-1: 702f64800586cccc168a4890affe33716296889d SHA-256: 881aded5a32ff386684d65c7dbe5a271212f5a03a40f23ddcb08bdb6dffaaed7
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Link

The PDF contains multiple embedded links, with one pointing to a known malicious redirector. The document body text and heuristic firings indicate a social engineering lure to install a browser extension. The primary malicious URL is ttraff.com, which redirects to a page suggesting a 'video helper opera extension'. The presence of numerous links, including to Shopify domains, suggests an attempt to obscure the malicious redirector and potentially engage in SEO manipulation for broader distribution.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=video+helper+opera+extension
    • http://rixep.notsuchsecretlife.com/uploads/1/3/2/6/132695675/138c3.pdf
    • https://cdn.shopify.com/s/files/1/0432/3803/1518/files/tunijilajaxuzita.pdf
    • https://cdn.shopify.com/s/files/1/0430/5554/6517/files/5520434212.pdf
    • https://cdn.shopify.com/s/files/1/0446/9909/1098/files/nutritional_importance_of_carbohydrates.pdf
    • https://cdn.shopify.com/s/files/1/0427/5470/3526/files/kubaxiwujukofodirak.pdf
    • https://cdn.shopify.com/s/files/1/0437/5294/7873/files/ditopofegixejozisitot.pdf
    • https://cdn.shopify.com/s/files/1/0432/9714/4990/files/pubiw.pdf
    • https://cdn.shopify.com/s/files/1/0433/9164/7894/files/ocr_a_level_chemistry_textbook_answers.pdf
    • https://cdn.shopify.com/s/files/1/0431/6086/2882/files/vaxuzopufotisowawevor.pdf
    • https://cdn.shopify.com/s/files/1/0434/0475/5096/files/786597867.pdf
    • https://cdn.shopify.com/s/files/1/0432/2508/8168/files/nabetax.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000054ab.bin
ed7c6692806fe132992726389282911728865417572856ace21e19b39a58b909		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54AB 5080 bytes
font_01_sfnt_off000065e9.bin
63a92ce7ef659fe451f1a6a57b27cb4872065f2bcd1e27b45bafc5e29d0b2c7f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65E9 10052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.