Malicious PDF — malware analysis report

Static analysis result for SHA-256 9b45dcb66bc71a42…

MALICIOUS

PDF

37.6 KB Created: 2020-09-01 04:38:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01e648ec2e382c82910e6b811253b20f SHA-1: 8970f136d041c4d2f01dc20c3e566a544e7bafb1 SHA-256: 9b45dcb66bc71a42bd9be595eb6d709535604b9ae3671e949ce9183972700143
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.club'. Additionally, it exhibits a PDF link farm heuristic, with numerous links hosted on Shopify, suggesting a coordinated effort to distribute content or manipulate search results. The document body contains a URL that matches the redirector, reinforcing the malicious intent. The presence of a link farm and a malicious redirector indicates a likely attempt to lure users to malicious content or phishing sites.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=chale+aana+video+song++720p
    • https://cdn.shopify.com/s/files/1/0465/0536/1566/files/39508452876.pdf
    • https://cdn.shopify.com/s/files/1/0433/0081/5006/files/kappa_alpha_psi_ritual_book.pdf
    • https://cdn.shopify.com/s/files/1/0433/1126/7990/files/45925339625.pdf
    • https://cdn.shopify.com/s/files/1/0431/0378/1015/files/67404699357.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/66048758492.pdf
    • https://cdn.shopify.com/s/files/1/0463/2841/4369/files/briggs_and_stratton_17_hp_intek_ohv_repair_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/5004/9446/files/girl_fucked_by_dog.pdf
    • https://cdn.shopify.com/s/files/1/0437/8945/1416/files/intel_r_hd_graphics_3000.pdf
    • https://cdn.shopify.com/s/files/1/0441/1087/2728/files/python_alphabetize_list.pdf
    • https://static.usrfiles.com/ugd/60933b_94d0eb02c3f54b2aada20cd777963426.pdf
    • https://static.usrfiles.com/ugd/87a178_1e8f22dad2cf41c3b563eb8a256dba92.pdf
    • https://static.usrfiles.com/ugd/ace02d_efddd0f42c1344c2a532ca5a8097a534.pdf
    • https://static.usrfiles.com/ugd/cbe7f7_225b9dbeb52548c9b9580a984dc299e2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c52.bin
76f4ea742eedec00876cb4a9255e3fa1897115f8d6abd077cd9f68cd98a3b744		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C52 5444 bytes
font_01_sfnt_off00005ee3.bin
0e4b4b7da1f977304f310aa7d883c08df98b99dc9db91dc1ab505fe9fb17df75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EE3 13564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.