Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6e9ec9f525113e6…

MALICIOUS

PDF

48.1 KB Created: 2020-08-03 17:47:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8426dd16a4a35c8624b32fc7ef935006 SHA-1: 9810ee2e0fba2587cbf5520067fbd2d81db0917b SHA-256: a6e9ec9f525113e62504740384a776277398e86533622507bacd36fca01ec290
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector at 'ttraff.com'. This suggests a link farm or SEO poisoning technique used to disguise malicious intent. The document body is heavily obfuscated, but the presence of the malicious URL is a strong indicator of a phishing or malware distribution attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=benson+schaeffer+signos+pdf
    • http://files.dkg-nc-mu.com/uploads/1/3/1/8/131856636/kegabodimapof.pdf
    • http://files.wineverytime19.com/uploads/1/3/1/6/131636676/xixigufanivijuz.pdf
    • http://files.erinboake.com/uploads/1/3/0/7/130776718/maxul_zefanenumu_ruxuxotevar_jazomagudigem.pdf
    • https://cdn.shopify.com/s/files/1/0431/5670/1348/files/bawadotigudeke.pdf
    • https://cdn.shopify.com/s/files/1/0432/4940/2024/files/72842779519.pdf
    • https://cdn.shopify.com/s/files/1/0431/9477/7757/files/macintosh_character_map.pdf
    • https://cdn.shopify.com/s/files/1/0431/4015/3505/files/1116993900.pdf
    • https://cdn.shopify.com/s/files/1/0427/3196/2535/files/82414370235.pdf
    • https://cdn.shopify.com/s/files/1/0433/1572/4456/files/rosagezexofufoz.pdf
    • https://cdn.shopify.com/s/files/1/0438/4745/0789/files/16564899476.pdf
    • https://cdn.shopify.com/s/files/1/0431/1610/1793/files/86700215329.pdf
    • https://cdn.shopify.com/s/files/1/0432/5670/9273/files/46641604940.pdf
    • https://cdn.shopify.com/s/files/1/0428/9373/8143/files/lolezabepobepi.pdf
    • https://cdn.shopify.com/s/files/1/0431/4585/5137/files/49535469986.pdf
    • https://cdn.shopify.com/s/files/1/0440/8174/1976/files/vasaxogateniz.pdf
    • https://cdn.shopify.com/s/files/1/0428/9652/3423/files/airport_utility_app.pdf
    • https://cdn.shopify.com/s/files/1/0431/0433/8074/files/most_valuable_playboy_magazines.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0427/3196/2535/file

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000079cb.bin
280549289ffd893a8659d9749ba01206191a1f648febb3282e9db7613b3a325d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79CB 5432 bytes
font_01_sfnt_off00008c46.bin
b0faec99ca00140338a2d1a05b0c98bd6d67aa5a4c898aebdc8284df4fa05da9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C46 11720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.