Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f4974f8ee5861ca…

MALICIOUS

PDF

43.3 KB Created: 2020-09-07 00:44:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4f80f5d2fc10b35f65d3c49f09442dae SHA-1: 2c9af71b7ccba11da35a9542ee6924d8ef26aec2 SHA-256: 8f4974f8ee5861ca47a64a7c5f5fda6d4a23eb455f83211b1db2fde3f2014db1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing indicating it is a malicious redirector link, specifically pointing to a URL designed to mimic an app store promotion. The document body, though heavily obfuscated, contains the same lure text and URLs. The primary malicious URL, 'https://ttraff.link/wix?keyword=google+play+store+app+install+free', is the main IOC, likely leading to further malicious content or phishing pages.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=google+play+store+app+install+free
    • https://cdn.shopify.com/s/files/1/0430/7202/8833/files/75490835150.pdf
    • https://cdn.shopify.com/s/files/1/0430/9696/5269/files/autodesk_autocad_2020.pdf
    • https://cdn.shopify.com/s/files/1/0431/5522/6773/files/85485452315.pdf
    • https://static.usrfiles.com/ugd/917232_0e0c7fda7e8945dba153669c37568434.pdf
    • https://static.usrfiles.com/ugd/d43733_9c975ec6a358485caabeda0c572f1383.pdf
    • https://static.usrfiles.com/ugd/1d3654_72935ca0175f4825a21e3e72b4c82136.pdf
    • https://static.usrfiles.com/ugd/003b86_193ece54fcdb4987be9ab4b26a2c1231.pdf
    • https://static.usrfiles.com/ugd/ae059d_0063e45808364ae384c16733b1ca131a.pdf
    • https://static.usrfiles.com/ugd/4bb894_2c8e6f352a0548828bc1bc40ecf5c1f1.pdf
    • https://static.usrfiles.com/ugd/fef373_c68c735b4e57493c87d221c08ab88dc8.pdf
    • https://static.usrfiles.com/ugd/89c6ad_da6c489b86c94f16a1112429c04122ee.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b2d.bin
9ff6cd364a87084f169d33a42834a4d843d2f8c9d6e632794e528363138d0189		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B2D 5204 bytes
font_01_sfnt_off00007d00.bin
9a84bccb4d231ced2e1679cbd634d7f0063f5634b87705baa81263e217fe1ff7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D00 10408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.