Malicious PDF — malware analysis report

Static analysis result for SHA-256 8aa40ca6716b3093…

MALICIOUS

PDF

55.3 KB Created: 2020-09-09 10:13:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7519799111e12d4b17c9ff3dd173c97d SHA-1: 7195d2ca152eccd49f2179bde07d91dc6c229065 SHA-256: 8aa40ca6716b3093567a6b1529c072586076e658f00e7e0dee01d47b27c8cfc7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to PDF files hosted on Shopify. One of these links, however, redirects to a known malicious domain (ttraff.club). This suggests a link farm used to obscure malicious redirects or to distribute further malicious content. The document body itself is heavily obfuscated and contains the malicious URL, indicating an attempt to lure users to a harmful site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=android+modal+bottom+sheet+example
    • https://cdn.shopify.com/s/files/1/0432/1342/2753/files/napituwivudili.pdf
    • https://cdn.shopify.com/s/files/1/0434/0560/7079/files/35285349897.pdf
    • https://cdn.shopify.com/s/files/1/0438/1668/1629/files/xirigobozu.pdf
    • https://cdn.shopify.com/s/files/1/0432/9350/7739/files/csk_whistle_podu_song_masstamilan.pdf
    • https://cdn.shopify.com/s/files/1/0439/8995/8814/files/ratefisofebazoba.pdf
    • https://cdn.shopify.com/s/files/1/0435/3579/4344/files/car_dealer_website_template_free.pdf
    • https://cdn.shopify.com/s/files/1/0432/6414/7609/files/zombie_hunter_games.pdf
    • https://cdn.shopify.com/s/files/1/0434/7733/6224/files/zelezukularubejixunata.pdf
    • https://cdn.shopify.com/s/files/1/0430/2772/6489/files/93448217023.pdf
    • https://cdn.shopify.com/s/files/1/0432/1165/3279/files/vsco_x_apk_full.pdf
    • https://cdn.shopify.com/s/files/1/0431/1734/6982/files/nonejusi.pdf
    • https://cdn.shopify.com/s/files/1/0465/1991/0558/files/all_basic_full_form_in_computer.pdf
    • https://cdn.shopify.com/s/files/1/0437/0300/9430/files/27228273442.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000801b.bin
6d2e998bd7d06d394801e1d39e2aca5fddb2a3d146a0103732274d178b29e6ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x801B 5184 bytes
font_01_sfnt_off0000917e.bin
202f4bfc7b5c75528d8a55104237e5d0f04fd313ea4d235aef76abc3e06d0aca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x917E 15640 bytes
font_02_sfnt_off0000c27c.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC27C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.