Malicious PDF — malware analysis report

Static analysis result for SHA-256 9b42f36375d26f62…

MALICIOUS

PDF

38.7 KB Created: 2020-09-16 20:41:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 90493b98563c59446e6f0186b282f229 SHA-1: 9fd0a7f098409ca1739537edb433067e589b2446 SHA-256: 9b42f36375d26f627a9f6875df4534a9740d3486c8bd7916d3214ded0c81eb8a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.me/wix?keyword=bowflex+treadclimber+tc5500+manual'. This URL is presented within the document body, disguised as a manual for a Bowflex treadclimber. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to Shopify. The primary malicious URL likely serves as a lure to a phishing or malware distribution site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=bowflex+treadclimber+tc5500+manual
    • http://gepej.yogadiversityinitiative.org/uploads/1/3/1/4/131437261/laroli_pezogijavamu.pdf
    • https://cdn.shopify.com/s/files/1/0434/1104/6561/files/kufafawuguwiwigozogin.pdf
    • https://cdn.shopify.com/s/files/1/0430/0183/9775/files/1772149222.pdf
    • https://cdn.shopify.com/s/files/1/0465/5353/0526/files/xujitelereziloko.pdf
    • https://cdn.shopify.com/s/files/1/0432/2073/0011/files/5219918523.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/75815848510.pdf
    • https://cdn.shopify.com/s/files/1/0432/1162/0509/files/sifofobesetir.pdf
    • https://cdn.shopify.com/s/files/1/0431/2226/2167/files/challenges_of_agriculture_in_ghana.pdf
    • https://cdn.shopify.com/s/files/1/0429/1995/2550/files/jixoxixofagowelox.pdf
    • https://cdn.shopify.com/s/files/1/0432/5385/8472/files/namoderoboxamenusuxodige.pdf
    • https://cdn.shopify.com/s/files/1/0430/4617/4877/files/vakez.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b49.bin
a5b532b623b9e0936fd4e98e61cdaa51da29a775eb23ebdf7272933cccfe623b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B49 5604 bytes
font_01_sfnt_off00005e60.bin
4e6f6688e58a3982379bb0f0590c66fc3896c839112aa7751376cc00692af691		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E60 14868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.