Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac1966e6df9f929d…

MALICIOUS

PDF

43.6 KB Created: 2020-09-04 06:46:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 67fef865a295364f0b791a01d1abcd95 SHA-1: f38d77c6a30f3101a72daeea5c40a2f2266e1b1d SHA-256: ac1966e6df9f929d4d023725ac5cd9f47413a72cc524b8b9be298503ee18008b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=inadvertent+disclosure+of+privileged+information+california'. This URL is presented within the document body, suggesting a social engineering lure to trick users into clicking it. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many of which point to benign Shopify or usrfiles.com domains, likely to mask the malicious redirector. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=inadvertent+disclosure+of+privileged+information+california
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/nunixa.pdf
    • https://cdn.shopify.com/s/files/1/0463/2766/0706/files/sovezejudedem.pdf
    • https://cdn.shopify.com/s/files/1/0434/3057/6285/files/fidic_contract_agreement_template.pdf
    • https://static.usrfiles.com/ugd/493135_7b9bc05df96842f4a7e2495047861cc2.pdf
    • https://static.usrfiles.com/ugd/aef5b7_6b489a22f62442669e3f643ec0c13852.pdf
    • https://static.usrfiles.com/ugd/b8c837_653b4965d3fb433f8d4c65a45cf23aa2.pdf
    • https://static.usrfiles.com/ugd/b5aed9_dd348617c69946e3bf96cc92c348ffb2.pdf
    • https://cdn.shopify.com/s/files/1/0432/5654/5433/files/musofedolinefepo.pdf
    • https://cdn.shopify.com/s/files/1/0432/3495/1331/files/47664748946.pdf
    • https://cdn.shopify.com/s/files/1/0434/2802/0373/files/32194118710.pdf
    • https://static.usrfiles.com/ugd/b80405_a6999d2af6ba4e9a9b9b8686cbca3a58.pdf
    • https://static.usrfiles.com/ugd/2d797c_c78b1608f570496aa2faea689a21d82a.pdf
    • https://static.usrfiles.com/ugd/2e4eb4_eb0a25594e724ffabbebbf257e9c4a9a.pdf
    • https://static.usrfiles.com/ugd/eb4c03_c3ede5b8091242b195c92ad3c8b7308a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000698c.bin
d94dac8cdd75fa77825331cfeab3c922a41a134052ad051d06951e2533885003		 pdf-font-stream PDF embedded font (sfnt) at offset 0x698C 5472 bytes
font_01_sfnt_off00007c24.bin
b7207da5da9bffec713267c5efecfdc195318d0ff8a26900a682b0be28b1e002		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C24 10264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.