Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d9b60104bad1556…

MALICIOUS

PDF

42.2 KB Created: 2020-09-01 23:59:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 42e7fd29c8388bd8cedc0c2fe2528506 SHA-1: a6ce39beccff0002d54fd425830bc4643c662602 SHA-256: 9d9b60104bad1556ba8f3b741ceb9018ef65229a4be1c9432e10bbf02a845731
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, a common tactic for SEO poisoning and redirecting users to malicious sites. One critical heuristic identified a link to a known malicious redirector infrastructure at 'https://ttraff.com/wix?keyword=audio+editor+apkpure'. The document body also contains this URL and other PDF links, suggesting a link farm designed to manipulate search engine results and lure users. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=audio+editor+apkpure
    • https://cdn.shopify.com/s/files/1/0431/0056/9766/files/75617317977.pdf
    • https://cdn.shopify.com/s/files/1/0433/6674/4216/files/zezixon.pdf
    • https://cdn.shopify.com/s/files/1/0430/9028/0609/files/34207101173.pdf
    • https://static.usrfiles.com/ugd/8b97dd_c41c1d107d304b1e85a4e2acd6a46594.pdf
    • https://static.usrfiles.com/ugd/06497e_df4b1a4805144ad5937430ab044e8811.pdf
    • https://static.usrfiles.com/ugd/5360f8_d80ef79a905a44e88199dbc2c4ad8133.pdf
    • https://static.usrfiles.com/ugd/b8c837_d4b78f0c91ff4000a4e5cf4d52f44875.pdf
    • https://static.usrfiles.com/ugd/57c819_40dc5d2dd8e74eada6f806bf396c1258.pdf
    • https://cdn.shopify.com/s/files/1/0437/0202/6393/files/mubofevumesetixitojevisa.pdf
    • https://cdn.shopify.com/s/files/1/0438/4266/6656/files/adobe_illustrator_cs6_bangla_book_free_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005127.bin
b5cc307356fc373db6a654984ac19b6749f77ea3cc12755da1d26d5810f9687c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5127 4796 bytes
font_01_sfnt_off00006185.bin
38945a3cde4acb94d09538108bcb2281cc8e5b5bc9351278b59dc01f15222d2d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6185 10676 bytes
font_02_sfnt_off00008602.bin
f64374342ee7b622385cc2739859e641226b525954788957b1726d1cdcba0607		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8602 16548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.