Malicious PDF — malware analysis report

Static analysis result for SHA-256 9723811258cf3f67…

MALICIOUS

PDF

40.6 KB Created: 2020-08-31 22:30:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 635f238023c2da4c2f8bf719fd272db7 SHA-1: 1af1711b00f6f5b34258e9836b7caaea90baaa8c SHA-256: 9723811258cf3f67473094581f2baa3bfdbf817ff6473a12fc781956dc79b8b6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link that redirects to a malicious URL, disguised as a 'freelance web design quote template'. The PDF also exhibits characteristics of a link farm, with numerous embedded links pointing to Shopify domains, likely for SEO manipulation or to host further payloads. The primary malicious link is to 'ttraff.cc', a known redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=freelance+web+design+quote+template
    • https://cdn.shopify.com/s/files/1/0428/2476/1507/files/nipofowebesoso.pdf
    • https://cdn.shopify.com/s/files/1/0432/7797/5717/files/pewemalibiwex.pdf
    • https://cdn.shopify.com/s/files/1/0432/6067/4198/files/3231155535.pdf
    • https://cdn.shopify.com/s/files/1/0439/0577/7832/files/lonogumupixojuke.pdf
    • https://cdn.shopify.com/s/files/1/0431/3654/9018/files/chemische_formeln_lesen.pdf
    • https://static.usrfiles.com/ugd/b8c837_95bde3f0ece449be9e72462082bb8498.pdf
    • https://cdn.shopify.com/s/files/1/0438/7107/6520/files/37970675596.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xefafozerokadugatevaru.pdf
    • https://cdn.shopify.com/s/files/1/0431/1387/3569/files/42881122487.pdf
    • https://static.usrfiles.com/ugd/a6e5e9_66f41899fbbc4b36b047ad553abfb01f.pdf
    • https://static.usrfiles.com/ugd/b8c837_4b4cf20ed2634caabd44551752bf29df.pdf
    • https://static.usrfiles.com/ugd/3ce946_d9c610fb59b4460d83c3bd17d59e766e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f3f.bin
aeb7a7b95b9c7f3567cddeb3dc13786fdc8e34794ce645cb7542415187817454		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F3F 5708 bytes
font_01_sfnt_off00007292.bin
f5812b3b401331240aa835f14c356d69206a8db59857fb17b464da24ab22032d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7292 10272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.