Malicious PDF — malware analysis report

Static analysis result for SHA-256 940d0bca78db075e…

MALICIOUS

PDF

39.6 KB Created: 2020-08-22 03:56:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5496cd709cab234f13fef61fc09a3615 SHA-1: e57d9672bfef2a249ed1d2bba3dd4048df21e4f3 SHA-256: 940d0bca78db075e95967c7c04fb23a079cba626d3f7f8f84f573d92dfeda953
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, a technique often used for SEO spam or to redirect users to malicious sites. One of the embedded URLs, 'https://ttraff.com/pify?keyword=ample+sound+agt+vst+free', is flagged as a known malicious redirector. The document body, though heavily obfuscated, also contains this URL, reinforcing its role in the attack. The presence of numerous other links, many hosted on Shopify, suggests a link farm or distribution network for malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=ample+sound+agt+vst+free
    • http://files.agingsuccessfullytoday.com/uploads/1/3/0/9/130969847/lebez.pdf
    • http://files.harrysinkswarehouse.com/uploads/1/3/1/8/131871919/37c44.pdf
    • http://files.thermotrix.com/uploads/1/3/1/4/131407734/12612e9.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/46946939033.pdf
    • https://cdn.shopify.com/s/files/1/0433/9898/7941/files/jekerit.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/89462818099.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/29480145432.pdf
    • https://cdn.shopify.com/s/files/1/0437/7663/9127/files/bedsheet_cotton_mein.pdf
    • https://cdn.shopify.com/s/files/1/0432/8207/1716/files/95375207586.pdf
    • https://cdn.shopify.com/s/files/1/0434/6288/5541/files/72056975961.pdf
    • https://cdn.shopify.com/s/files/1/0427/6633/6167/files/93211084816.pdf
    • https://cdn.shopify.com/s/files/1/0437/6097/6021/files/44251872111.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005da1.bin
9185032de0d606d90cd56deaef811067a1e4430ffafb57bcacc9553a2af8e038		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DA1 5412 bytes
font_01_sfnt_off00007002.bin
5bcacf99e634515cc02dcb1672c3d328d0891c20ce02c380ab4852c92810ede1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7002 9920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.