Malicious PDF — malware analysis report

Static analysis result for SHA-256 91a93e9718dbe145…

MALICIOUS

PDF

45.6 KB Created: 2020-08-19 00:29:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 73e72d3b92e6e64633e8001ca7a6232e SHA-1: c962aebe35b24d5c982664e06fb444e21f166d66 SHA-256: 91a93e9718dbe145d632188b53bd3a80e41827b9ed37ba345248af67d6a5195a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with a critical heuristic firing indicating a link farm designed to redirect users. One of the primary links points to a known malicious redirector service, 'ttraff.cc', which likely serves as a gateway to further malicious content. The presence of numerous links, many hosted on Shopify, suggests an attempt to obscure the true malicious destination and potentially leverage legitimate platforms for hosting. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bloodshed+dev+c
    • http://wadaxufol.covefiinvestments.com/uploads/1/3/1/4/131411896/kukotafupevu_jajazul_dazamirusetuxi.pdf
    • http://files.bigislandeventrentals.com/uploads/1/3/0/8/130814258/2236c2de5262.pdf
    • http://files.herhairpalace.com/uploads/1/3/2/6/132681901/7628102.pdf
    • http://files.donigianproperties.com/uploads/1/3/1/4/131453111/0d50928bffcdb0f.pdf
    • https://cdn.shopify.com/s/files/1/0429/6930/1151/files/alter_ego_b2.pdf
    • https://cdn.shopify.com/s/files/1/0429/9456/5271/files/67967721252.pdf
    • https://cdn.shopify.com/s/files/1/0433/8437/3406/files/hollywood_action_movie_tamil.pdf
    • https://cdn.shopify.com/s/files/1/0433/9751/3381/files/winesediridumitebupup.pdf
    • https://cdn.shopify.com/s/files/1/0432/4127/5547/files/tratamento_do_cancer_de_prostata.pdf
    • https://cdn.shopify.com/s/files/1/0432/5575/9011/files/riboxo.pdf
    • https://cdn.shopify.com/s/files/1/0428/7492/9319/files/xidataxemod.pdf
    • https://cdn.shopify.com/s/files/1/0428/9242/7430/files/1667678778.pdf
    • https://cdn.shopify.com/s/files/1/0433/6048/5541/files/63984438374.pdf
    • https://cdn.shopify.com/s/files/1/0431/8973/1479/files/bengali_to_english_translation_practice.pdf
    • https://cdn.shopify.com/s/files/1/0437/3974/2359/files/rimusu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0431/8973/1479/files/bengali_to_english_tra

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000076a3.bin
f08b1b2ff7d4ef2a684542e83b1ef99e350146b2c147d5cc993b7f4e0fa60c88		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76A3 4832 bytes
font_01_sfnt_off00008712.bin
f81c1c8e5186b2c1522c42b73fbcb83f0c242edf0fef87fca774d1bc6cf66049		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8712 10096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.