Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae031fc62b92f902…

MALICIOUS

PDF

41.4 KB Created: 2020-08-19 01:01:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 592d7b1245a5fe0c6d8e80b865072bdc SHA-1: 8b6925bf9616f5fa34ced5311ad43654bd9df288 SHA-256: ae031fc62b92f9023400500fec90b2632ffe2f199b38bf9a33db4c7d1099b8ca
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.cc'. The document body, though heavily obfuscated, contains text fragments suggesting a lure for 'bazaar full movie pakistani'. This link likely leads to further malicious content or phishing attempts. The file also contains a PDF link farm heuristic, indicating a large number of external links, many of which are benign Shopify URLs, but the primary redirector is malicious.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bazaar+full+movie++pakistani
    • http://files.aroundtheboundary.com/uploads/1/3/1/4/131437018/eb0e353d7957761.pdf
    • https://cdn.shopify.com/s/files/1/0436/5778/9605/files/76064041296.pdf
    • https://cdn.shopify.com/s/files/1/0437/2175/2731/files/meaning_of_business_letter.pdf
    • https://cdn.shopify.com/s/files/1/0448/1007/6322/files/how_to_treat_coliform_in_well_water.pdf
    • https://cdn.shopify.com/s/files/1/0429/7719/8229/files/52148185076.pdf
    • https://cdn.shopify.com/s/files/1/0432/8236/6629/files/bofumijapule.pdf
    • https://cdn.shopify.com/s/files/1/0432/0054/4931/files/bukegize.pdf
    • https://cdn.shopify.com/s/files/1/0431/5326/0706/files/47719487840.pdf
    • https://cdn.shopify.com/s/files/1/0431/5214/6586/files/98482929055.pdf
    • https://cdn.shopify.com/s/files/1/0437/8168/5406/files/60168314139.pdf
    • https://cdn.shopify.com/s/files/1/0434/0921/1557/files/xowirawaliwerokevizan.pdf
    • https://cdn.shopify.com/s/files/1/0433/2634/1272/files/alessandro_baricco_ocean_sea.pdf
    • https://cdn.shopify.com/s/files/1/0446/8667/2025/files/bayern_munich_team_sheet_2018.pdf
    • https://cdn.shopify.com/s/files/1/0433/0291/2168/files/53297823015.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063fe.bin
7a09c12029a8c194b07e6f3dd02dce2007e2fa8e35740a6c87b134482c187d83		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63FE 5272 bytes
font_01_sfnt_off000075df.bin
326f7027579ea2902328fcae3a1151287d0667d354c4899aeaf86d49d3459f7f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75DF 10204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.