Malicious PDF — malware analysis report

Static analysis result for SHA-256 99c1e33a9dc80086…

MALICIOUS

PDF

52.4 KB Created: 2020-08-09 13:30:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 61d0d6c1844ecd5daf743871b380016f SHA-1: 71b6e11b40688629443e0117621b7e170a8149e1 SHA-256: 99c1e33a9dc80086505e058da4107c10ea73b89f57672429d96152a451463e1f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many pointing to Shopify-hosted PDF files, indicating a link farm or distribution mechanism. One critical heuristic identified a redirector link to traff.com, suggesting a malicious redirection chain. The document body is heavily obfuscated and contains the primary malicious URL, likely intended to lure users to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=analytical+marxism+john+roemer+pdf
    • http://varaduda.vigilant-m.com/uploads/1/3/1/1/131164250/binokabib_tiwamarapafem_kuzikelaro_jejifisiw.pdf
    • http://files.jpsact.org/uploads/1/3/1/4/131483019/f2bd7b5.pdf
    • http://minamaxa.winkwinkbeautybar.com/uploads/1/3/1/6/131607131/lupirozoj.pdf
    • https://cdn.shopify.com/s/files/1/0428/7247/1718/files/dujenuwezumedazisetuno.pdf
    • https://cdn.shopify.com/s/files/1/0432/9740/7126/files/mizoxonukivisaxaditinizot.pdf
    • https://cdn.shopify.com/s/files/1/0428/5674/3079/files/91701237268.pdf
    • https://cdn.shopify.com/s/files/1/0435/0889/1807/files/pupoxuwoxujabi.pdf
    • https://cdn.shopify.com/s/files/1/0432/1463/5165/files/57337797238.pdf
    • https://cdn.shopify.com/s/files/1/0437/8319/2727/files/40012999879.pdf
    • https://cdn.shopify.com/s/files/1/0429/4760/8730/files/zetadusudevosowewotu.pdf
    • https://cdn.shopify.com/s/files/1/0440/5090/7286/files/nubafowibofejawanekivig.pdf
    • https://cdn.shopify.com/s/files/1/0433/1477/4169/files/gumoxurosunoponawixez.pdf
    • https://cdn.shopify.com/s/files/1/0433/4937/7177/files/bosuwabugaz.pdf
    • https://cdn.shopify.com/s/files/1/0431/4651/0490/files/domanalakigopoberaxenof.pdf
    • https://cdn.shopify.com/s/files/1/0432/5661/0976/files/pevijiti.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008f00.bin
44212cf5e2023295ed62b084484d4b456fe30e06515d06ab94635740cb8f7cb5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F00 5628 bytes
font_01_sfnt_off0000a20e.bin
0df5785a5ffde20ec7a383559447915f39507bc1119547a6e6d1395af522e31a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA20E 10100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.