Malicious PDF — malware analysis report

Static analysis result for SHA-256 a50a08452877128f…

MALICIOUS

PDF

45.2 KB Created: 2020-08-30 11:50:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4188640cb01c03f891dca157f5b498e8 SHA-1: e53168d9393b606608a156a1912c9efc8cc4c552 SHA-256: a50a08452877128fed29b087e58e664b21f8de10771c8b01901b732b8ab745cb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to external resources. One critical heuristic identified a link to a known malicious redirector infrastructure at 'https://ttraff.com/wix?keyword=cp+online+codes'. Another heuristic flagged the document as a PDF SEO link farm, indicating a large number of outbound links designed to manipulate search engine rankings or direct users to malicious sites. The document body contains obfuscated text and references to the malicious URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=cp+online+codes
    • https://cdn.shopify.com/s/files/1/0432/6968/5414/files/wovoro.pdf
    • https://cdn.shopify.com/s/files/1/0428/2508/9191/files/wevajo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/15843942414.pdf
    • https://cdn.shopify.com/s/files/1/0438/4748/3557/files/mivozarujeniwime.pdf
    • https://cdn.shopify.com/s/files/1/0431/7727/9652/files/wumuvidebosako.pdf
    • https://static.usrfiles.com/ugd/e5a943_4c6608942cd841a8bd795806040e96b8.pdf
    • https://static.usrfiles.com/ugd/b8c837_30f7a97e22874a8caf9607b2b82ccff8.pdf
    • https://static.usrfiles.com/ugd/4d400c_ee3b1d146ae54bd2bfa4fe0d6e616693.pdf
    • https://static.usrfiles.com/ugd/b8c837_fa1f752720434b9f9ac4a1fb941376a8.pdf
    • https://static.usrfiles.com/ugd/b8c837_bc0c09501566483c8e1fd7778dd6472b.pdf
    • https://static.usrfiles.com/ugd/b8c837_4ab9fea6b2844dde98454f9542b0f382.pdf
    • https://static.usrfiles.com/ugd/34ec99_baa6d7a2ad3f4f048bc07cae781cfbd3.pdf
    • https://static.usrfiles.com/ugd/10a4aa_e57a29d2adad46ec9db9f7414ddaa036.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006667.bin
f645e3cca9a222508620063c94c5a2fc4336383c1648a6cdcd63e185a357787a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6667 3652 bytes
font_01_sfnt_off00007377.bin
03d5d1f2bf43e02f2f026b19ac08923b252201e23d1d2fb86987664679b25142		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7377 4668 bytes
font_02_sfnt_off00008360.bin
0affc6b2f4b3fa77e75fa57c7990c97c785495f0e62e29e76c2cb8616b67aa71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8360 10652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.