Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac3909303651ab20…

MALICIOUS

PDF

41.3 KB Created: 2020-08-30 14:52:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5a8a991b9b9178f60ff280588ed8d188 SHA-1: f7a7a46a77159c08a284dc512d1a219e99d3ea7c SHA-256: ac3909303651ab20cecf32f3858f03796a19ca3823e2082f1ea4b22ca9fc54bf
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-in

The PDF file was identified as malicious due to the presence of numerous embedded links. One critical heuristic firing indicates a link to a known malicious redirector at 'https://ttraff.cc/wix?keyword=arkwright+wind+farm+map'. Additionally, the file contains a large number of external links, many hosted on cdn.shopify.com, suggesting a link farm or SEO poisoning tactic. The document body contains garbled text but includes the malicious URL and several benign-looking PDF links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=arkwright+wind+farm+map
    • https://cdn.shopify.com/s/files/1/0441/3010/7544/files/53899607095.pdf
    • https://cdn.shopify.com/s/files/1/0431/7121/7572/files/75659686044.pdf
    • https://cdn.shopify.com/s/files/1/0454/1526/8520/files/facebook_messenger_lite_apk_file.pdf
    • https://cdn.shopify.com/s/files/1/0431/4424/9499/files/8057173630.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/benubojebexoreloruva.pdf
    • https://cdn.shopify.com/s/files/1/0430/7930/3317/files/archaea_characteristics.pdf
    • https://cdn.shopify.com/s/files/1/0436/9596/4328/files/fipipu.pdf
    • https://cdn.shopify.com/s/files/1/0430/7084/9181/files/63446090524.pdf
    • https://cdn.shopify.com/s/files/1/0428/0988/4838/files/nerf_rival_rechargeable_battery_pack.pdf
    • https://cdn.shopify.com/s/files/1/0432/6352/5029/files/pidefakakiwilowofarowol.pdf
    • https://static.usrfiles.com/ugd/b8c837_942f0c572a584e59a5cc141a15430da4.pdf
    • https://static.usrfiles.com/ugd/ed64d2_639765bece284ed7b5f6b7834de91d10.pdf
    • https://static.usrfiles.com/ugd/efb3f0_5a90dd7c8f43493ab501c7e7081c4e56.pdf
    • https://static.usrfiles.com/ugd/b8c837_4882addf254c45429f8ddd300ca1c29a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060bd.bin
9be20407ae11d3ebbae2a82452d5724b8617d8d2c52f3246a6cba12cf0cac319		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60BD 5392 bytes
font_01_sfnt_off000072f8.bin
42f8b74b3ee0967d047d4a63c8ed6092a0b547522dc1e72f2b7d9f8369696331		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72F8 11048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.