Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a7f620fc0b65009…

MALICIOUS

PDF

108.6 KB Created: 2020-09-06 16:22:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5521e0937b4358ba6cd45c886b314098 SHA-1: 399b0ad3823f7dc86cd91a111f32841a1e2744e3 SHA-256: 9a7f620fc0b6500953e4083f89ed61b5d9d5363fc68d65b76318f2a3fed617c1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=afc+asian+cup+2019+fixtures+pdf'. This URL is presented within the document body, disguised as a sports fixture list. The PDF also contains a large number of external links, many hosted on Shopify, suggesting a link farm or SEO poisoning tactic to distribute the malicious content. The primary malicious IOC is the redirector URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=afc+asian+cup+2019+fixtures+pdf
    • https://cdn.shopify.com/s/files/1/0434/4361/7958/files/xedatolatukuja.pdf
    • https://cdn.shopify.com/s/files/1/0434/4630/4933/files/best_brainy_games_for_android.pdf
    • https://cdn.shopify.com/s/files/1/0433/4272/5275/files/18319754798.pdf
    • https://cdn.shopify.com/s/files/1/0429/4692/0615/files/carb_cycling_beginners_guide.pdf
    • https://static.usrfiles.com/ugd/de3d83_e5b460b2395d4695be1b3435298b4ab3.pdf
    • https://cdn.shopify.com/s/files/1/0435/0545/1174/files/korojetuxuwujudazexaveza.pdf
    • https://cdn.shopify.com/s/files/1/0432/6286/9670/files/46763345135.pdf
    • https://cdn.shopify.com/s/files/1/0436/3495/0304/files/5858384462.pdf
    • https://cdn.shopify.com/s/files/1/0435/6666/1800/files/gimawitut.pdf
    • https://static.usrfiles.com/ugd/de3d83_91963737180148a6888a8c5e09093d6d.pdf
    • https://static.usrfiles.com/ugd/c1108c_559937eb61ab4bd9a1e627b7d6b59ee5.pdf
    • https://static.usrfiles.com/ugd/b8c837_af5e1688525e4896922c9aa51f30f58a.pdf
    • https://static.usrfiles.com/ugd/7ef0dc_ccfa2b65b70c4f6f91393cd8db37cbce.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0001769c.bin
db0d5c162e6d05fcfad8fc44ff98ab13525b6eb5d0f2c26cf9952e638b39a8a7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1769C 24656 bytes
font_00_sfnt_off000122fb.bin
02ebe77af424223e0ad3fe439a50e28a85acafb9700f6f25a5545e86d3b642d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x122FB 5656 bytes
font_01_sfnt_off0001364f.bin
33ed6c7f45a890582e801d37ae9489a299d152ea613af2c68336d9d43ee32608		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1364F 2464 bytes
font_02_sfnt_off00014012.bin
73184652f102e36c8a252469e1ae09326bed7bb7d9e1f710c1099f9b826b2940		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14012 18564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.