Malicious PDF — malware analysis report

Static analysis result for SHA-256 a0ecc6a5bd9aa5b4…

MALICIOUS

PDF

34.0 KB Created: 2020-08-25 19:29:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 50c5d1f287db3589caa3b9457a354c69 SHA-1: e45c928d01930694fef926223139d660b58533d5 SHA-256: a0ecc6a5bd9aa5b45154fc8d5d22fc9f6175474abd143ee3cd034abb55cd40d7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, a common technique for SEO link farms and phishing. One of the primary links, 'https://ttraff.cc/pify?keyword=maria+b+new+collection', is flagged as a malicious redirector. The document body, though partially corrupted, contains text that appears to be a lure for a 'Maria b new collection', suggesting a phishing attempt to drive traffic to malicious sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=maria+b+new+collection
    • http://files.akomaarts.org/uploads/1/3/0/7/130739776/44661e9.pdf
    • http://files.unionvalleybaptist.net/uploads/1/3/2/6/132682528/pilidaruxofadopekupa.pdf
    • http://files.manfredjantzen.com/uploads/1/3/1/4/131483097/josonaz.pdf
    • http://files.cceheadgearplus.com/uploads/1/3/0/7/130738652/7428122.pdf
    • http://files.mprints.shop/uploads/1/3/2/6/132695730/ca93609700.pdf
    • https://cdn.shopify.com/s/files/1/0431/5686/5173/files/vowozenovoxeba.pdf
    • https://cdn.shopify.com/s/files/1/0429/0553/4620/files/88905772756.pdf
    • https://cdn.shopify.com/s/files/1/0432/9517/8902/files/99443933921.pdf
    • https://cdn.shopify.com/s/files/1/0435/0610/6528/files/assembly_language_by_ytha_yu.pdf
    • https://cdn.shopify.com/s/files/1/0430/6577/0135/files/amblyomma_spp.pdf
    • https://cdn.shopify.com/s/files/1/0432/0913/0143/files/lokolitagozaviresabola.pdf
    • https://cdn.shopify.com/s/files/1/0434/6504/8214/files/free_windows_7_product_key.pdf
    • https://cdn.shopify.com/s/files/1/0429/3623/8236/files/69585865221.pdf
    • https://cdn.shopify.com/s/files/1/0431/4421/6730/files/63993162283.pdf
    • https://cdn.shopify.com/s/files/1/0438/5597/0464/files/dogodopisomezumubuxevojen.pdf
    • https://cdn.shopify.com/s/files/1/0438/7838/3771/files/burbank_city_jobs.pdf
    • https://cdn.shopify.com/s/files/1/0430/2091/0746/files/sapna_choudhary_songs.pdf
    • https://cdn.shopify.com/s/files/1/0437/0671/2219/files/crimson_peak_movie_in_tamil.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004af5.bin
35ef4e0e660aed07799b3ea155cddf9e207710f3df14911de14b4f953ae571e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AF5 4852 bytes
font_01_sfnt_off00005b97.bin
9b30b57b11748b18141179ebb93e18efda63efe2b844d990c330ad552da7ec95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B97 9308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.