Malicious PDF — malware analysis report

Static analysis result for SHA-256 88ae3cb273429106…

MALICIOUS

PDF

43.0 KB Created: 2020-09-18 04:38:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 80e10c07326bb46efdc71842f8c375f5 SHA-1: 6af124905aa94cacab6d562d65dab22f8f2e4e2b SHA-256: 88ae3cb2734291066b1ea0da25beff16e44d64811d013dc7e5fca25b0b125d45
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with one critical heuristic identifying a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL 'https://ttraff.club/wix?keyword=sao+alicization+all+characters', which is likely intended to lead the user to a malicious site. The presence of numerous PDF links, many pointing to benign files, suggests a link farm designed to obscure the malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=sao+alicization+all+characters
    • http://files.thecryptocorp.com/uploads/1/3/1/4/131453602/2674d2f97a20.pdf
    • http://niwoseto.meghanfoleyyoga.com/uploads/1/3/1/3/131383314/03107.pdf
    • https://7c0628ef-b2cb-4d26-b160-4559d06cbf82.filesusr.com/ugd/314c35_3a4af8027cb241828922ac4dc26b7d19.pdf?index=true
    • https://69ee42ca-e951-4557-aeb7-2ab7d981b992.filesusr.com/ugd/314c35_0c52c1e33f17454aa9e6b61e4b04ae2b.pdf?index=true
    • https://92bedd3f-f337-4f39-b8f0-da73c35c3560.filesusr.com/ugd/685707_a5bd883de2774d77993f44dffe7ae83d.pdf?index=true
    • https://3a762750-44c0-4069-b2c3-c37b80635f3a.filesusr.com/ugd/592671_de34a028c2e74448adbecc9895799834.pdf?index=true
    • https://7ad01640-8e77-4264-bd29-e3ea52c3b7b0.filesusr.com/ugd/e2c223_a24f64269aed4bff8c01410b0cc07cad.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0434/1841/9349/files/taxogusatefitademi.pdf
    • https://cdn.shopify.com/s/files/1/0432/3940/7784/files/aker_bp_annual_report_2018.pdf
    • https://cdn.shopify.com/s/files/1/0431/5388/3293/files/26369249227.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a55.bin
4a49bba7df462578d3d46660d617a1751fc31e110d540bc1439a5f2ae26f9665		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A55 4444 bytes
font_01_sfnt_off000069ea.bin
2cd962809d11904d557b8b7e73c2b828ccef23057d652d9bf3d9761afa170faa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69EA 5040 bytes
font_02_sfnt_off00007b07.bin
cd33d98f04883d611b89818c318958de302884d74738aa57faba074dbc76e4bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B07 10636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.