Malicious PDF — malware analysis report

Static analysis result for SHA-256 a79d8a2d330965ce…

MALICIOUS

PDF

43.5 KB Created: 2020-09-01 00:17:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7b0778293bfe008e8454445e5ce00493 SHA-1: 8c1d780020738387732e146fbd41e42748940a04 SHA-256: a79d8a2d330965ced1f8e54a0ddd532f2e127a4e9b07180d8d3ec37c304902f2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded links, many of which point to external resources. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.com/wix?keyword=attractiveness+crossword+answer'. The document body, though heavily obfuscated, appears to contain text related to a crossword answer, suggesting a social engineering lure. The primary attack pattern involves directing users to malicious infrastructure through a link farm.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=attractiveness+crossword+answer
    • https://static.usrfiles.com/ugd/d78803_fb3cefd92e474040b7e70dc9ca0d1fc7.pdf
    • https://static.usrfiles.com/ugd/dc8a8e_f03988bab4594b7696c3b815436959de.pdf
    • https://static.usrfiles.com/ugd/07625c_d4baf49ec10a4d70b7ca0fb956f206cd.pdf
    • https://static.usrfiles.com/ugd/eb6612_ea2cad9e02644f168bc71ba01c732370.pdf
    • https://cdn.shopify.com/s/files/1/0436/4494/4542/files/23956905278.pdf
    • https://cdn.shopify.com/s/files/1/0437/8833/7313/files/wotibe.pdf
    • https://cdn.shopify.com/s/files/1/0431/9641/6157/files/87153522006.pdf
    • https://cdn.shopify.com/s/files/1/0433/3636/8283/files/85835084133.pdf
    • https://cdn.shopify.com/s/files/1/0433/3089/6026/files/wikusukaliwesizojason.pdf
    • https://static.usrfiles.com/ugd/90c678_4401b0f87ebd4eeda09ebe7f825bfaac.pdf
    • https://static.usrfiles.com/ugd/43d598_fe8adeb690d14c949979e51af580ede0.pdf
    • https://static.usrfiles.com/ugd/b8c837_b10f1ca66d2d46b0a9a5e89f3e9c9169.pdf
    • https://cdn.shopify.com/s/files/1/0433/3296/0409/files/povutikowobomuwezipek.pdf
    • https://cdn.shopify.com/s/files/1/0432/1126/0062/files/20617210231.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lapifobojupe.pdf
    • https://cdn.shopify.com/s/files/1/0431/7646/0448/files/lifalep.pdf
    • https://cdn.shopify.com/s/files/1/0430/7753/3856/files/20023934995.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d01.bin
2e670240db29c9e4da9607c369dd215887c51ae4049cae117a4b7091f5ceab25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D01 5040 bytes
font_01_sfnt_off00007e44.bin
51bd342153af407c44e95919eb1a1471cf6250543baed6fcaacd2df0816571b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E44 10204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.