Malicious PDF — malware analysis report

Static analysis result for SHA-256 94ad7493a670bc7e…

MALICIOUS

PDF

66.6 KB Created: 2020-09-19 16:14:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 676b2543fa182fbd9ec758b023f94bf7 SHA-1: 672bcb2ae6c04cf665a4580e8162326248b504f3 SHA-256: 94ad7493a670bc7eb1622f11356e7eca92596d4b19a75924b4db723c72a133d5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to the presence of a large number of embedded links, characteristic of a link farm. One of these links, 'https://ttraff.link/wix?keyword=the+case+of+a+self+contained+meaning', is flagged as a known malicious redirector. The document body itself contains garbled text and metadata indicating it was generated by wkhtmltopdf, suggesting it's not intended for human consumption but rather as a vehicle for distributing links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=the+case+of+a+self+contained+meaning
    • http://files.realwalks.com/uploads/1/3/2/3/132303009/mazatopefikir-tarigikisafexo-guzipopuru-fodawulonekidem.pdf
    • http://files.jessica-gordon.com/uploads/1/3/0/7/130775728/gabanuzefen_gowudaguk_gedisomibafixe.pdf
    • https://fca02d60-5857-4fd9-b3a0-3b8c598cac2d.filesusr.com/ugd/851c7c_450e958498e44f43aef52837e1899b19.pdf?index=true
    • https://1ec44e47-b545-4667-9151-f1e1be153ca6.filesusr.com/ugd/3a38e0_45b595f5ceaa4affbfcab147de8571ff.pdf?index=true
    • https://addd23c8-f78c-41e1-ba4a-9308775559d8.filesusr.com/ugd/6924eb_355126730e18464b97b6f95338583647.pdf?index=true
    • https://e7e723ad-c83c-45b2-ab45-e508eb6b8202.filesusr.com/ugd/d61b30_bd8c1ffd132a4c14ac860d60edca3397.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0463/5338/3581/files/duburimativiwo.pdf
    • https://cdn.shopify.com/s/files/1/0433/6369/6805/files/gegipasul.pdf
    • https://cdn.shopify.com/s/files/1/0432/7309/3288/files/ielts_writing_task_2_sample_essays_band_9.pdf
    • https://cdn.shopify.com/s/files/1/0482/6870/5954/files/95328206299.pdf
    • https://cdn.shopify.com/s/files/1/0430/8369/4247/files/64531507783.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006646.bin
e4121a0bd4ccb5171277120a3afcfaf64f216ca48a0a3fa388cf33831b104223		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6646 5600 bytes
font_01_sfnt_off00007a03.bin
05b3e4a90f80a4ee2a54acb70b74e02e07db2e1a71092a781fe267eeb93545df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A03 5288 bytes
font_02_sfnt_off00008bda.bin
f3888f27e06dd1cf107c215e198ac2c73510dede1568242d282c58e158fe8149		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BDA 4028 bytes
font_03_sfnt_off000099b6.bin
1b78247d75ccc0428a2b980db53120efe92e2fe4f77c19ccfe45b2a6bea7bfce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x99B6 4984 bytes
font_04_sfnt_off0000a9f5.bin
71c4f8cec0ffcc0d8caf4492722fb0c2075e7ff3ad3c1585f246cc8d692aa15a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA9F5 12460 bytes
font_05_sfnt_off0000d2f0.bin
afd6189cb7d5638f56d2f3b6bb2e92dbeba9ffcd345c9bd1040fbdd1ccc10ef9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD2F0 17200 bytes
font_06_sfnt_off0000ec1b.bin
a51bd093336b1113e5cf36ebbfb2e2ec4ded7d4f11a208f85620e4f0792c09e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC1B 3564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.