Malicious PDF — malware analysis report

Static analysis result for SHA-256 9942317384d453f7…

MALICIOUS

PDF

41.3 KB Created: 2020-08-17 12:41:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6de0882918dfb201b237afeeaea96673 SHA-1: 887b5e82576535bd19ed049af9def122764b4fa7 SHA-256: 9942317384d453f752d9cdde31db4a90636b7c968cce56ec4be17480f67d762d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to its structure, which includes a large number of embedded links pointing to external PDF files, characteristic of a link farm. One of these links, https://ttraff.com/pify?keyword=btrfs+vs+ext4+performance+2017, is a known malicious redirector. The document body itself contains garbled text and a reference to the same malicious URL, suggesting an attempt to lure users to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=btrfs+vs+ext4+performance+2017
    • http://gupew.hunniebutter.com/uploads/1/3/2/6/132681513/tuzejobobuxose.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gegexovikorojirokelaxedu.pdf
    • https://cdn.shopify.com/s/files/1/0429/4665/8463/files/gifetewikisefowinatazale.pdf
    • https://cdn.shopify.com/s/files/1/0434/9932/3558/files/pind_vich_kabootar_baaz_song.pdf
    • https://cdn.shopify.com/s/files/1/0429/7578/9215/files/parvatichya_bala_video_song_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/6741/6488/files/52941770079.pdf
    • https://cdn.shopify.com/s/files/1/0431/4634/6658/files/bhagavad_gita_yatharoop_kannada.pdf
    • https://cdn.shopify.com/s/files/1/0433/7631/2471/files/37484511104.pdf
    • https://cdn.shopify.com/s/files/1/0437/3177/9733/files/dasibaw.pdf
    • https://cdn.shopify.com/s/files/1/0433/5042/5765/files/87940607633.pdf
    • https://cdn.shopify.com/s/files/1/0432/6542/5570/files/37890329465.pdf
    • https://cdn.shopify.com/s/files/1/0427/6797/4556/files/23856029313.pdf
    • https://cdn.shopify.com/s/files/1/0431/4093/9933/files/aliens_colonial_marines_technical_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006245.bin
e9ad0986c625098eea76354da577e158b22b11f18af614d681bf29c8818e6b71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6245 5800 bytes
font_01_sfnt_off0000760a.bin
b05b639e211d7dd19f23f9e5c54590c1ebe67cecc70875174aecdedee6d39396		 pdf-font-stream PDF embedded font (sfnt) at offset 0x760A 9956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.