Malicious PDF — malware analysis report

Static analysis result for SHA-256 977a6f3e54cb1799…

MALICIOUS

PDF

34.4 KB Created: 2020-09-07 18:02:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 56b561836ec0e41f8089ffdab295cf25 SHA-1: d37121afa97ce9e1f09a249e776836381046b539 SHA-256: 977a6f3e54cb1799b044821915d4ef37040071a8a58703526c78a5d7b7f9455c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass of external links, including a critical link to a known malicious redirector at 'https://ttraff.club/wix?keyword=free++badman+binladin+songs'. The document body, though heavily obfuscated, contains references to 'free badman binladin songs' and the malicious URL, suggesting a lure to entice users to click the malicious link. The presence of numerous Shopify-hosted PDF links indicates a link farm strategy to improve search engine ranking and distribute the malicious payload.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=free++badman+binladin+songs
    • https://cdn.shopify.com/s/files/1/0431/6990/6844/files/48603278727.pdf
    • https://cdn.shopify.com/s/files/1/0438/2208/8354/files/3d_printer_parts_list.pdf
    • https://cdn.shopify.com/s/files/1/0433/0592/6809/files/angular_7_form_validation_on_blur.pdf
    • https://cdn.shopify.com/s/files/1/0432/3577/0535/files/rules_of_abbreviation.pdf
    • https://cdn.shopify.com/s/files/1/0428/9950/5311/files/siwoxelodatogokejupene.pdf
    • https://static.usrfiles.com/ugd/b8c837_67869d0b1a424653b7b6877be0e9f2df.pdf
    • https://static.usrfiles.com/ugd/cb5dea_b9846603960e4693a04fde2f3e118252.pdf
    • https://static.usrfiles.com/ugd/de65f7_4a3b75ed1104494ebccd7de4c4b9b2f4.pdf
    • https://static.usrfiles.com/ugd/89441e_416e98b822114e6e996ab8a23f79f85a.pdf
    • https://cdn.shopify.com/s/files/1/0430/9050/9977/files/69215169139.pdf
    • https://cdn.shopify.com/s/files/1/0435/3576/1576/files/33373465165.pdf
    • https://cdn.shopify.com/s/files/1/0428/1538/9855/files/veziverufadifofof.pdf
    • https://static.usrfiles.com/ugd/87fdc7_9066c6645f00486aa94a7f7d2459e814.pdf
    • https://static.usrfiles.com/ugd/24853a_b18c6da675fa4aef818081b06e75ace7.pdf
    • https://static.usrfiles.com/ugd/1e557c_c88a0e2aa9ac41bca8c8c312ee0991f4.pdf
    • https://static.usrfiles.com/ugd/28146e_badb83f292ad41e6bc31562c251df91f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000048c7.bin
29a4aa9fd1b1d197dba10f84fde386a2b2c1ae484ab21b71d0bb3af67cea15b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48C7 5240 bytes
font_01_sfnt_off00005a7e.bin
f5f13787fa26f3b025d21366c7ccb1368de2e994157ce6adc40fd6cf23da9ea9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A7E 10212 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.