Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d9309038d1834c9…

MALICIOUS

PDF

47.6 KB Created: 2020-08-31 19:48:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6382cbdd2a7dd2d7b83a5fcf4b57da79 SHA-1: 9d970e16ce63b9453dce14bf77d63e0898384078 SHA-256: 9d9309038d1834c92df428f2ecefb5a3d3dbecc6da64694a4a46d3d769be5a22
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.link/wix?keyword=breath+of+the+wild+captured+memories+guide'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, with 'https://cdn.shopify.com/s/files/1/0438/7491/0376/files/55437066598.pdf' being the first identified. The document body, though heavily obfuscated, contains references to these URLs, suggesting an attempt to direct users to malicious content under the guise of a guide.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=breath+of+the+wild+captured+memories+guide
    • https://cdn.shopify.com/s/files/1/0438/7491/0376/files/55437066598.pdf
    • https://cdn.shopify.com/s/files/1/0430/0252/7895/files/noxifiko.pdf
    • https://cdn.shopify.com/s/files/1/0431/6987/4080/files/bangladesh_detailed_map.pdf
    • https://cdn.shopify.com/s/files/1/0431/1800/2340/files/vagipemu.pdf
    • https://cdn.shopify.com/s/files/1/0432/9390/0958/files/34470520424.pdf
    • https://static.usrfiles.com/ugd/856cea_79fbed8e88f841b5b2e4e9c0d2893b1e.pdf
    • https://static.usrfiles.com/ugd/80c1db_1bd2ca1ee4e64fa39a5494c34d108f31.pdf
    • https://cdn.shopify.com/s/files/1/0434/2693/9042/files/xivevoti.pdf
    • https://cdn.shopify.com/s/files/1/0429/6412/3814/files/56209849699.pdf
    • https://cdn.shopify.com/s/files/1/0431/6083/0116/files/richard_bandler_ita.pdf
    • https://static.usrfiles.com/ugd/e5412a_e9dad295f2674c8999f884dd9c370fe5.pdf
    • https://static.usrfiles.com/ugd/2c608b_beba5b21838c44c8bf5f7b4421ec284c.pdf
    • https://static.usrfiles.com/ugd/9374a7_31314797a29c4bb28ab7b820f7513c8f.pdf
    • https://static.usrfiles.com/ugd/b8c837_4dd701a1a1a34f57acba642faf80095b.pdf
    • https://static.usrfiles.com/ugd/6260fe_f24df66d52824dbcbe6872bb85bb7014.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007b30.bin
dae4b65ca25112fc5d42c2f8c2427399e1f276d2fbb1d9fb7c58fd1a72278424		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B30 5712 bytes
font_01_sfnt_off00008e85.bin
916b1cb00ea91f308ac658c497f73144034b16cddc36dc545af5db530eb677f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E85 10080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.