Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a962b19caee9bad…

MALICIOUS

PDF

44.9 KB Created: 2020-09-02 10:49:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3fa385f85ea418f2b09e9ae42e92e75a SHA-1: 42b208ce954fb902cbf605bbcdf66bd1644eac56 SHA-256: 9a962b19caee9bad69b7b5c1c8ad58a240d2a4f58205788bcaa0b6aeb93cc9c0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many pointing to Shopify domains hosting other PDFs, which is indicative of a link farm. One of these links, https://ttraff.club/wix?keyword=blythe+baird+book+pdf, is identified as a malicious redirector. The document body text is heavily obfuscated but contains references to the redirector URL, suggesting the primary goal is to redirect the user to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=blythe+baird+book+pdf
    • https://cdn.shopify.com/s/files/1/0436/5815/0046/files/dozemawajaguxuke.pdf
    • https://cdn.shopify.com/s/files/1/0447/5482/9463/files/business_english_handbook_advanced_chomikuj.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tuwaz.pdf
    • https://cdn.shopify.com/s/files/1/0454/7294/0198/files/hot_rolling_sheet_metal.pdf
    • https://cdn.shopify.com/s/files/1/0460/6518/9019/files/gmat_guide_book.pdf
    • https://static.usrfiles.com/ugd/37987b_7fe0473036a94fa284b2d1218dc187e2.pdf
    • https://static.usrfiles.com/ugd/b8c837_5633cd9cec524b8c825dced67fccd0ae.pdf
    • https://static.usrfiles.com/ugd/cc14e4_acb2e9ab0e7143ec826a55fef3387a5c.pdf
    • https://static.usrfiles.com/ugd/fb5067_9c92011db0c24d288fd675af4274ae64.pdf
    • https://cdn.shopify.com/s/files/1/0436/3508/1374/files/25829676721.pdf
    • https://cdn.shopify.com/s/files/1/0428/3102/0198/files/tisodagenonunad.pdf
    • https://cdn.shopify.com/s/files/1/0428/4622/4551/files/40451661980.pdf
    • https://cdn.shopify.com/s/files/1/0433/8047/4014/files/totud.pdf
    • https://cdn.shopify.com/s/files/1/0434/2149/9548/files/opencv_affine_transform_image.pdf
    • https://cdn.shopify.com/s/files/1/0434/7278/1478/files/zegolaru.pdf
    • https://cdn.shopify.com/s/files/1/0438/0898/1153/files/kodak_easyshare_z_915.pdf
    • https://cdn.shopify.com/s/files/1/0431/2812/7654/files/ubqari_magazine_april_2020_free_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000706c.bin
a4241c12b80a653cb1e1b16e63ab31fa0a8cb8fe554e298483f5cf45926a51d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x706C 5308 bytes
font_01_sfnt_off00008278.bin
b41806fb6eda178b5e9938a4f1cb8a3210a1e4a893e5e55ecdab8a48663495e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8278 10780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.