Malicious PDF — malware analysis report

Static analysis result for SHA-256 9119d2a4642da393…

MALICIOUS

PDF

45.6 KB Created: 2020-08-04 14:09:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5d6a1611406b7a91ed7e9540e0863efe SHA-1: f768ecd012e9b1d16f84444d3dcfa3409210c442 SHA-256: 9119d2a4642da393466ec452f8218c9365d12aafab5a9659a40565aedecfa69a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a redirector service (ttraff.cc) known for malicious activity. The document body, though heavily obfuscated, contains text referencing 'rei camping checklist pdf' and a URL that appears to be part of this lure. The primary attack pattern involves tricking users into clicking these malicious links, likely leading to further compromise.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=rei+camping+checklist+pdf
    • http://files.standuprasash.com/uploads/1/3/1/1/131164472/zijijanovim.pdf
    • http://files.papayasplace.com/uploads/1/3/0/7/130775071/karejipejatexi_pigepuvuk.pdf
    • http://files.baldmanandhumans.com/uploads/1/3/1/6/131606492/wuzonupene.pdf
    • http://files.worlestonvillagehall.net/uploads/1/3/1/4/131483147/gusafomun.pdf
    • https://cdn.shopify.com/s/files/1/0437/2761/8209/files/xogenivumuvizezul.pdf
    • https://cdn.shopify.com/s/files/1/0429/0255/2742/files/rojev.pdf
    • https://cdn.shopify.com/s/files/1/0430/6327/9767/files/37825013267.pdf
    • https://cdn.shopify.com/s/files/1/0429/7759/1449/files/rezukidonefeti.pdf
    • https://cdn.shopify.com/s/files/1/0438/8713/2827/files/2013_acura_rdx_manual.pdf
    • https://cdn.shopify.com/s/files/1/0427/6033/9623/files/24005064645.pdf
    • https://cdn.shopify.com/s/files/1/0431/6335/3244/files/gipubefu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/18813115042.pdf
    • https://cdn.shopify.com/s/files/1/0434/7317/4680/files/gta_5_the_mission_has_been_disrupted.pdf
    • https://cdn.shopify.com/s/files/1/0431/8894/5064/files/passive_form_exercises_all_tenses.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000075cd.bin
6a35f9937bbb573b25b1319f33efe8b92a09794480deff0e36c08b7c2f16d690		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75CD 5544 bytes
font_01_sfnt_off0000888b.bin
2cd759a28b5e2bb6095ac562bb79c5191f5c0569118656c1e7296b8b45f66f48		 pdf-font-stream PDF embedded font (sfnt) at offset 0x888B 9744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.