Malicious PDF — malware analysis report

Static analysis result for SHA-256 a90f28439859c10e…

MALICIOUS

PDF

41.5 KB Created: 2020-08-31 04:42:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7816b033a964bbd590847a9b8664c631 SHA-1: ea7e8786c7e4e44e9ac9da444caf9a435478db4b SHA-256: a90f28439859c10ee5b1ea34c558ecf63f6462f1e51db7351795977823abb5cb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.com/wix?keyword=fce+reading+test+pdf'. This URL is presented within the document body, suggesting a phishing or scam attempt to lure users to malicious infrastructure. The presence of numerous other links, many hosted on Shopify, indicates a potential link farm or SEO manipulation tactic to obscure the malicious destination. No scripts were extracted, and the document body is heavily obfuscated, but the primary malicious intent appears to be redirection.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=fce+reading+test+pdf
    • https://cdn.shopify.com/s/files/1/0435/6079/6318/files/53579886869.pdf
    • https://cdn.shopify.com/s/files/1/0431/1279/2225/files/single_phase_induction_motor_speed_control_methods.pdf
    • https://cdn.shopify.com/s/files/1/0427/5775/0951/files/pelixugusowuretu.pdf
    • https://cdn.shopify.com/s/files/1/0433/2496/5019/files/nadadoxotigosazasi.pdf
    • https://cdn.shopify.com/s/files/1/0434/0521/3847/files/sidulasarogokeli.pdf
    • https://cdn.shopify.com/s/files/1/0430/7487/9641/files/microtech_halo_v.pdf
    • https://static.usrfiles.com/ugd/73f3b0_2c2e1c6f9f774645af5339cccae699e8.pdf
    • https://static.usrfiles.com/ugd/12f4eb_00996fd3760b4926b8dfe9021e23d756.pdf
    • https://static.usrfiles.com/ugd/23b571_09837046477b42b78693ed32010cb5d3.pdf
    • https://cdn.shopify.com/s/files/1/0428/9203/4211/files/anganwadi_mpr_form.pdf
    • https://cdn.shopify.com/s/files/1/0434/2156/5078/files/2002_honda_civic_ex_repair_manual.pdf
    • https://cdn.shopify.com/s/files/1/0467/5446/3907/files/28481792630.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000652c.bin
9b68c0bddc5b07d0cbdd5191e052fabb30e0580571bfba9f18eb9a3ff34470e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x652C 5248 bytes
font_01_sfnt_off00007713.bin
9def4c70b1749cf5a417dc07fb52e4d10e48c556405ed0221b540542509417d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7713 10120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.