Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e683d11bdf82e1a…

MALICIOUS

PDF

33.0 KB Created: 2020-08-15 03:16:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7e3bb0d8426bd54af3ab59d78a36e41d SHA-1: 01cac4378046fd09069ec2dc22c3e460bfdfa505 SHA-256: 8e683d11bdf82e1a758a1eb3496dfeba9d545560f8e49ee6102f716369a3d665
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link that redirects to a known malicious domain, ttraff.com. This domain is likely used to host further malicious content or phishing pages. The document body, though heavily obfuscated, contains the same URL and appears to be a lure related to sheet music, aiming to trick users into clicking the malicious link. The presence of numerous other PDF links, many hosted on Shopify, suggests a link farm or SEO poisoning tactic to increase visibility.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=sleeping+at+last+saturn+violin+sheet+music
    • http://fesekef.militaryhistorylive.co.uk/uploads/1/3/0/8/130873851/1807610.pdf
    • https://cdn.shopify.com/s/files/1/0433/6576/1176/files/vemototevivotikafajixuwe.pdf
    • https://cdn.shopify.com/s/files/1/0434/4909/0200/files/comment_fusionner_deux_documents_en_un_seul_sur_mac.pdf
    • https://cdn.shopify.com/s/files/1/0433/4485/5195/files/hernia_de_disco_dorsal.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/39843759369.pdf
    • https://cdn.shopify.com/s/files/1/0431/3936/7061/files/mechanical_working_drawing_handbook.pdf
    • https://cdn.shopify.com/s/files/1/0434/1219/3438/files/23761800740.pdf
    • https://cdn.shopify.com/s/files/1/0432/5765/9547/files/dufugejur.pdf
    • https://cdn.shopify.com/s/files/1/0434/5751/1590/files/chaconne_segovia.pdf
    • https://cdn.shopify.com/s/files/1/0430/0154/4863/files/15863257434.pdf
    • https://cdn.shopify.com/s/files/1/0431/9451/5614/files/phd_thesis_in_accounting_and_finance.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xasojikunu.pdf
    • https://cdn.shopify.com/s/files/1/0431/0335/5034/files/14014437094.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000435d.bin
d99c185e26b5b136724c8abd226e0dae9a07b8f5e384ab88b1931442c1a5dc05		 pdf-font-stream PDF embedded font (sfnt) at offset 0x435D 5512 bytes
font_01_sfnt_off000055f0.bin
fcee726807f053f79afceb9727e5f6e466c52014e61b575e85c8a370bc83779f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55F0 9728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.