Malicious PDF — malware analysis report

Static analysis result for SHA-256 a1fc7fd1dbce3798…

MALICIOUS

PDF

41.3 KB Created: 2020-09-17 05:46:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7deec41d0366878fe2df4025e9606e05 SHA-1: 74c13bd78cb37eae02f5f1aa923d0f40444d928c SHA-256: a1fc7fd1dbce37988349d5862d04bba111565c5139cc751bcde9aa975f870208
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded links, many of which point to Shopify domains hosting PDF files, suggesting a link farm for SEO manipulation. However, one critical heuristic identified a link to a known malicious redirector at 'https://ttraff.me/wix?keyword=garth+brooks+eugene+oregon'. The document body, though heavily obfuscated, contains this same URL, indicating the primary intent is to redirect the user to malicious infrastructure. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=garth+brooks+eugene+oregon
    • http://files.viktoriasanto.com/uploads/1/3/1/3/131398177/ce84bb29e.pdf
    • http://files.brabenderfarm.com/uploads/1/3/0/7/130739918/7258053.pdf
    • https://cdn.shopify.com/s/files/1/0434/2022/1607/files/hanuman_chalisa_lyrics_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/4606/7621/files/online_magazine_viewer_free.pdf
    • https://cdn.shopify.com/s/files/1/0434/0213/3667/files/elements_of_photogrammetry_with_application_in_gis_fourth_edition.pdf
    • https://cdn.shopify.com/s/files/1/0434/3355/8168/files/piledujojal.pdf
    • https://cdn.shopify.com/s/files/1/0432/7125/8276/files/80631813954.pdf
    • https://cdn.shopify.com/s/files/1/0432/2318/7614/files/57680363964.pdf
    • https://cdn.shopify.com/s/files/1/0432/0146/2436/files/2889921140.pdf
    • https://cdn.shopify.com/s/files/1/0458/5488/3993/files/guided_reading_level_of_the_drama.pdf
    • https://cdn.shopify.com/s/files/1/0431/1531/5349/files/85410595646.pdf
    • https://cdn.shopify.com/s/files/1/0434/1065/3338/files/wisdom_of_the_oracle_guide_book.pdf
    • https://cdn.shopify.com/s/files/1/0430/6858/8185/files/zepozobonofirefinoxenaxo.pdf
    • https://cdn.shopify.com/s/files/1/0428/1221/1359/files/77058444937.pdf
    • https://cdn.shopify.com/s/files/1/0432/4923/8178/files/types_of_telemetry_system.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006365.bin
9287b077581fe9063a176eb28767e2a05521137e5fd6ca3c119e89efff0be6e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6365 5148 bytes
font_01_sfnt_off000074e4.bin
90d1c1c1976466de30ff18de3172f8f025f347e3d7bca3755e48aed90be0a90f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74E4 9904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.