Malicious PDF — malware analysis report

Static analysis result for SHA-256 a7506909288bcb4e…

MALICIOUS

PDF

46.0 KB Created: 2020-08-15 01:37:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7da34f0371fb1b13a69d4373bffb4baf SHA-1: 10c8bfe2b83077f6924167819722f6641419b8ee SHA-256: a7506909288bcb4ead1524cb403ff1273d4e0f987c50d81cbc28f98af2b9f54c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links pointing to external PDF files, many hosted on Shopify. This indicates a link farm, likely for SEO manipulation or to distribute further malicious content. One of the primary links, 'https://ttraff.com/pify?keyword=boomkin+guide+8.+2', is flagged as a malicious redirector. The document body itself is heavily obfuscated and contains metadata suggesting it was generated by wkhtmltopdf.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=boomkin+guide+8.+2
    • http://files.everything-365.com/uploads/1/3/1/3/131383771/sopadisupezasek-xegofubef-xebeperu.pdf
    • http://files.showmerob.com/uploads/1/3/1/3/131384436/e0478d60a2fb5.pdf
    • http://fepuxu.stopthecelltower.com/uploads/1/3/0/7/130738531/ketup.pdf
    • http://files.hardawayart.com/uploads/1/3/0/7/130739169/govoro.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/32878299647.pdf
    • https://cdn.shopify.com/s/files/1/0436/1561/7182/files/55363462931.pdf
    • https://cdn.shopify.com/s/files/1/0432/0644/3163/files/xupesonerojoxudurozuzif.pdf
    • https://cdn.shopify.com/s/files/1/0434/8513/5014/files/63055483863.pdf
    • https://cdn.shopify.com/s/files/1/0427/6443/5612/files/zowatolixuxagotuje.pdf
    • https://cdn.shopify.com/s/files/1/0440/3593/2310/files/garmin_usb_drivers.pdf
    • https://cdn.shopify.com/s/files/1/0428/8859/3567/files/39691095916.pdf
    • https://cdn.shopify.com/s/files/1/0429/9236/9823/files/how_do_i_convert_to_word_document_for_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/1020/3556/files/assembler_2_en_un_seul.pdf
    • https://cdn.shopify.com/s/files/1/0429/9948/0473/files/21117413907.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000773f.bin
2704f040e0b630378541565a21e6cc8f1e9ee07f0573c4016a84322daab80b74		 pdf-font-stream PDF embedded font (sfnt) at offset 0x773F 5100 bytes
font_01_sfnt_off00008894.bin
ea8cc947dc77b1a72fea87bf2f40269e20de169e76fcdb0ecd0530330c0d45db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8894 10288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.