Malicious PDF — malware analysis report

Static analysis result for SHA-256 919459167f530525…

MALICIOUS

PDF

47.3 KB Created: 2020-09-17 05:27:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 71061177b487473770ca9257a4bae6c7 SHA-1: 51d049d7232b5e4dba7dc8c4d8258761081e6399 SHA-256: 919459167f530525d0055a026142e97a7340b1d436512930d0bfd970e644a9f4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, identified as a PDF link farm. One of these links, 'https://ttraff.me/wix?keyword=l+arginine+cream+brands+in+india', is flagged as a malicious redirector. The document body, though heavily obfuscated, appears to contain text related to 'L arginine cream brands in india', suggesting a lure to a commercial or health-related topic to entice clicks.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=l+arginine+cream+brands+in+india
    • https://cdn.shopify.com/s/files/1/0429/5399/8487/files/kofumenevivilufe.pdf
    • https://cdn.shopify.com/s/files/1/0437/8443/7922/files/path_2_1_7_5_7.pdf
    • https://cdn.shopify.com/s/files/1/0429/6291/1391/files/88789057385.pdf
    • https://cdn.shopify.com/s/files/1/0440/2852/6742/files/loan_agreement_paper.pdf
    • https://cdn.shopify.com/s/files/1/0439/0453/2648/files/77710446378.pdf
    • https://cdn.shopify.com/s/files/1/0463/0786/8834/files/wowilanivuxi.pdf
    • https://c3b7ebe0-8102-45f3-a5c0-a76f4cf0c462.filesusr.com/ugd/8e66a5_b95f9daaa20f4c6c940f2e526905074a.pdf?index=true
    • https://cde15fe5-aabc-4175-b3ec-a4ceff70b174.filesusr.com/ugd/6f9b04_8895de3fa72a4f7b8526edeb82bf29fa.pdf?index=true
    • https://fe1f0ca4-4e52-4f21-ab09-eda1b3f72b4b.filesusr.com/ugd/2ac701_b8bae5ca3e124885911209716f7fbdb9.pdf?index=true
    • https://5ca1240e-af7f-43af-8ec9-a57d0ec22d42.filesusr.com/ugd/aaaf79_1c3d5ecd5a0043a8ba9a4ec027488b41.pdf?index=true
    • https://b15c6026-e9c5-47d4-ad3f-0149d6430129.filesusr.com/ugd/8a5fcf_718c30ad0a0f446e9d1b57d2e2e80570.pdf?index=true
    • https://77242366-7bff-4a06-a5d6-dab1adc4a405.filesusr.com/ugd/55f640_aeec5acfc87844dc94712ba1536ba71e.pdf?index=true
    • https://bc5268f1-ab19-4e23-b81b-a85e4995285b.filesusr.com/ugd/e2c223_a6cb9ab6293b4b6c810626406fe79370.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006df7.bin
450cbb25c36c3f8f53e69016efc433d2e45e27db7ff9675064367b9f95d15cbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DF7 5308 bytes
font_01_sfnt_off00007fea.bin
93e34858f5c807cd28759a74ffb67a98c75539eb7da90ec253338b9232d46cd7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FEA 15880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.