Malicious PDF — malware analysis report

Static analysis result for SHA-256 8ac4f07acd426f11…

MALICIOUS

PDF

44.2 KB Created: 2020-08-01 23:38:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ada7fe09edf4ac17e60ae3d720d39bd SHA-1: d4ddc69620afd1ba5e68b018cfb7c9c61b14fafa SHA-256: 8ac4f07acd426f1151cc0a7c5689be604496d3702263acc7906a3e2154ea0c8d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, identified as a PDF link farm. One of the primary links directs to a known malicious redirector at 'ttraff.com'. The document body, though heavily obfuscated, contains the same malicious URL, suggesting the intent is to redirect the user to malicious content. The file was generated using wkhtmltopdf, a tool sometimes abused for malicious purposes.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=six+foot+seven+foot+lyric
    • http://files.amysommerville.com/uploads/1/3/1/4/131483386/pewanizunod_votezafepukex_vetazeguwewimi.pdf
    • http://files.michiganpiperehab.com/uploads/1/3/2/8/132814476/b6518acc.pdf
    • http://files.weigh-right.com/uploads/1/3/1/8/131856170/d7b0d67a0f.pdf
    • http://files.theprofbodyforum.org/uploads/1/3/0/9/130969992/tozereke-filep-rusib-ruxosifabejigog.pdf
    • https://cdn.shopify.com/s/files/1/0435/2249/0532/files/how_to_uninstall_nvidia_drivers.pdf
    • https://cdn.shopify.com/s/files/1/0434/6868/5464/files/75312864261.pdf
    • https://cdn.shopify.com/s/files/1/0436/0660/5987/files/76160270382.pdf
    • https://cdn.shopify.com/s/files/1/0431/2183/6193/files/42682948527.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/visaboxe.pdf
    • https://cdn.shopify.com/s/files/1/0434/9755/4084/files/72923448462.pdf
    • https://cdn.shopify.com/s/files/1/0429/8031/1203/files/92777043708.pdf
    • https://cdn.shopify.com/s/files/1/0434/3549/1490/files/28171082025.pdf
    • https://cdn.shopify.com/s/files/1/0438/0426/2561/files/27414250429.pdf
    • https://cdn.shopify.com/s/files/1/0435/5971/4971/files/16061938974.pdf
    • https://cdn.shopify.com/s/files/1/0430/3365/7507/files/gafalanexoxi.pdf
    • https://cdn.shopify.com/s/files/1/0435/2878/1988/files/pokafuwomamorijin.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rumifagekesodurelakalon.pdf
    • https://cdn.shopify.com/s/files/1/0432/6329/5654/files/79829705493.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000702e.bin
08aa595397bef0d9ef52e8bd3aa4310f6353799e4a9a40f681148ac929fae4b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x702E 5000 bytes
font_01_sfnt_off0000815a.bin
3d7e2cf6a6245ae7b5b82343576407c57ccaa4b91cf626b8d91dd6e15ae0d591		 pdf-font-stream PDF embedded font (sfnt) at offset 0x815A 10136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.