Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e8cf572f09508fb…

MALICIOUS

PDF

43.4 KB Created: 2020-08-07 21:47:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4fd608cc31db192d4f667a1deffda051 SHA-1: 66b958a0dd618b64ae6a48e20b939bf6966aec8d SHA-256: 8e8cf572f09508fbc43cba3de19b994587c33b6d6a21ecdb415604f4a38958b8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to malicious infrastructure. It also fired for PDF_SEO_LINK_FARM, suggesting a large number of outbound links, many of which point to Shopify domains hosting other PDFs. The primary malicious URL is ttraff.com, which is used as a redirector. The document body contains obfuscated text but prominently features the malicious URL and several benign-looking Shopify URLs, likely part of the link farm.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=rudofsky+architecture+without+architects+pdf
    • http://files.ryanmarkmorgan.com/uploads/1/3/1/3/131383613/ab4ddbf88c4fe.pdf
    • http://files.psacollegecounseling.com/uploads/1/3/2/7/132712614/1307266.pdf
    • http://dosipivi.annettedelcanto.com/uploads/1/3/1/6/131636725/9324184b6d2d6f.pdf
    • http://luvetuk.monicaburtonyoga.com/uploads/1/3/1/4/131409090/479252.pdf
    • http://zegeru.gktfreechurch.com/uploads/1/3/1/6/131637881/6761200.pdf
    • https://cdn.shopify.com/s/files/1/0429/9004/3285/files/sufijifelif.pdf
    • https://cdn.shopify.com/s/files/1/0432/2436/7262/files/gagupafuvebolejololanafi.pdf
    • https://cdn.shopify.com/s/files/1/0428/0814/8127/files/59913967485.pdf
    • https://cdn.shopify.com/s/files/1/0433/0127/3760/files/sowofif.pdf
    • https://cdn.shopify.com/s/files/1/0439/2553/6936/files/bazirekimetatubobi.pdf
    • https://cdn.shopify.com/s/files/1/0431/9982/4032/files/67864051217.pdf
    • https://cdn.shopify.com/s/files/1/0431/7793/5004/files/ti_30xa_manual.pdf
    • https://cdn.shopify.com/s/files/1/0428/8331/7926/files/naturalism_philosophy.pdf
    • https://cdn.shopify.com/s/files/1/0434/0600/0282/files/xusapuzopi.pdf
    • https://cdn.shopify.com/s/files/1/0437/2417/7576/files/gemosusomesedofurodafidow.pdf
    • https://cdn.shopify.com/s/files/1/0439/2275/1643/files/begatobepiradumuvonomid.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006af4.bin
e7238967f8e6e5ca6b956ce917ff8d0dd925399689edc6d80a31656a338be626		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AF4 5476 bytes
font_01_sfnt_off00007db6.bin
e7ce02f7767e3635014a02274759f05294801473fa09a32084e1f7829b688040		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DB6 10304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.