Malicious PDF — malware analysis report

Static analysis result for SHA-256 a7b4ea7324a89d2e…

MALICIOUS

PDF

32.8 KB Created: 2020-08-30 01:51:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5c305cba91ea01aec67fb5b2c4bd2977 SHA-1: 0796e95e2c13058ab6f1e676d0ac85a093476a06 SHA-256: a7b4ea7324a89d2e96e9609690b48d4e7fedf8f55f97880fa8f19bb1a42d7028
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded external links, a technique often used for SEO manipulation or to redirect users to malicious sites. One of the primary links, 'https://ttraff.com/wix?keyword=hebrew+from+scratch+mp3%2529', is flagged as a malicious redirector. The document body itself is heavily obfuscated, but the presence of numerous links, including one to a known malicious redirector, strongly suggests a malicious intent to lure users to harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=hebrew+from+scratch+mp3%2529
    • https://static.usrfiles.com/ugd/b88e3d_4e07b6b1926c4186b773ad17d89d81eb.pdf
    • https://static.usrfiles.com/ugd/b8c837_2cc12c43e58c4190a9016b0b856f756d.pdf
    • https://static.usrfiles.com/ugd/455f95_a230552425d1485e954b9b8ef1b9e328.pdf
    • https://static.usrfiles.com/ugd/162fe6_6b246e749baf47d09cb3daf556c30119.pdf
    • https://static.usrfiles.com/ugd/b8c837_fa60f998f3ca46a0a3a5118adb8edc6e.pdf
    • https://static.usrfiles.com/ugd/b8c837_3f9ef69550884b49863cf826be322f37.pdf
    • https://static.usrfiles.com/ugd/c20ea7_283edb8e4d62440db31e46a9c3115af2.pdf
    • https://cdn.shopify.com/s/files/1/0438/1078/3394/files/91536383547.pdf
    • https://cdn.shopify.com/s/files/1/0437/8938/5885/files/combiner_deux_fichiers_en_un_seul.pdf
    • https://cdn.shopify.com/s/files/1/0438/5321/7952/files/14734864371.pdf
    • https://cdn.shopify.com/s/files/1/0431/7514/9719/files/dagotunusepaxel.pdf
    • https://cdn.shopify.com/s/files/1/0436/9498/1273/files/science_textbook_answers_grade_10.pdf
    • https://cdn.shopify.com/s/files/1/0431/6001/0912/files/nawuvitukape.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004127.bin
7432a7eb8cd00bc38d0bb37706422ec6807afd2d180b8b29d1a883021987f532		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4127 5656 bytes
font_01_sfnt_off00005459.bin
195d3356b0e66fddb75c56ef7b2235486c2ff7c70ed8aa4523f0599f30257a0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5459 9976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.