Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab942a1a599b05f7…

MALICIOUS

PDF

48.4 KB Created: 2020-09-01 11:21:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fe0ba84246529288227aa51c829cb6cb SHA-1: 9178820d019902b42c6fea8eb6468c3b1e2134d1 SHA-256: ab942a1a599b05f7e30a90efa231418903a09515935ce37c123685f67b4c0681
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to the presence of numerous embedded links. A critical heuristic firing indicates that these links point to a known malicious redirector infrastructure, specifically 'ttraff.com', which is likely used for SEO poisoning or to mask malicious destinations. The document body contains garbled text but also includes the URL that triggered the heuristic, confirming its presence. The file also contains a large number of external PDF links, many hosted on Shopify, which is characteristic of link farms.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=algorithms+in+java+sedgewick+pdf
    • https://static.usrfiles.com/ugd/238140_fda4300a98ee48ee93e4c4539a35c88a.pdf
    • https://static.usrfiles.com/ugd/8b9728_8db8a9ac890747e98905e31f349456e3.pdf
    • https://static.usrfiles.com/ugd/5b604d_a5896193f6f4471cb3461d163cbd85c0.pdf
    • https://cdn.shopify.com/s/files/1/0451/3693/7125/files/akito_the_exiled_ep_5.pdf
    • https://cdn.shopify.com/s/files/1/0437/6569/4613/files/bugubugowipefadozodulet.pdf
    • https://cdn.shopify.com/s/files/1/0465/1719/0806/files/79768973441.pdf
    • https://cdn.shopify.com/s/files/1/0430/9090/3193/files/88200226612.pdf
    • https://cdn.shopify.com/s/files/1/0435/0155/1771/files/92687910237.pdf
    • https://cdn.shopify.com/s/files/1/0439/5152/1947/files/ali_g_indahouse_720p.pdf
    • https://cdn.shopify.com/s/files/1/0430/1894/4665/files/gosemevedawesavi.pdf
    • https://static.usrfiles.com/ugd/bf650e_7611b7e801ff4e6a9fcb8476d8451cde.pdf
    • https://static.usrfiles.com/ugd/d01287_94d46d4487514fbfb9136952388ea4df.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007f34.bin
8b28377dd1cd476e1e8070b4cbac5033c42fd455f894562923b1f45789a12891		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F34 5848 bytes
font_01_sfnt_off00009312.bin
08870dcd46337a4860ad271257dea5a81c5b90afa1e5c755eff95bde876e9328		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9312 9904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.