Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae872b5646a5bc64…

MALICIOUS

PDF

46.9 KB Created: 2020-08-09 23:25:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d24f49c023c040fb5906346810491334 SHA-1: 708d99dba31c21425a24c986d8e8e15b5db12365 SHA-256: ae872b5646a5bc64201e828ef2464bd835b59ee24725d5b937bcfaf6d407bae0
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic indicating it links to known malicious redirector infrastructure, specifically `ttraff.com`. It also exhibits characteristics of a PDF SEO link farm, hosting numerous links to other PDF files, many of which are hosted on `cdn.shopify.com` or other domains. The document body, though partially corrupted, contains text related to downloading PDF books and includes the malicious URL, suggesting a lure to download further content which may be malicious. The SE_INVOICE_LURE heuristic further supports the idea of a deceptive lure.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=history+of+english+literature+pdf+books+free+download
    • http://files.feishifukungfu.com/uploads/1/3/1/4/131406604/645e72c6d56bf7.pdf
    • http://files.losgringoslawn-landscape.com/uploads/1/3/1/8/131856666/tekup.pdf
    • http://files.paintfactory.co.nz/uploads/1/3/1/3/131380042/6691656.pdf
    • https://cdn.shopify.com/s/files/1/0430/2418/7549/files/15096462632.pdf
    • https://cdn.shopify.com/s/files/1/0430/5240/0789/files/les_articulations_synoviales.pdf
    • https://cdn.shopify.com/s/files/1/0433/9079/5934/files/calculus_edwards_and_penney_6th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0431/4152/9762/files/35262749696.pdf
    • https://cdn.shopify.com/s/files/1/0436/1604/3168/files/norutibutevaw.pdf
    • https://cdn.shopify.com/s/files/1/0432/5654/5433/files/80811338498.pdf
    • https://cdn.shopify.com/s/files/1/0434/8346/3832/files/audi_a5_sportback_2020_manual.pdf
    • https://cdn.shopify.com/s/files/1/0429/4141/5587/files/74885267883.pdf
    • https://cdn.shopify.com/s/files/1/0437/6179/5230/files/6170868881.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007593.bin
45b9e25e1c73619ba5b2bda25f8c177e5e15825c1c34735a11f678cdd200c8a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7593 5660 bytes
font_01_sfnt_off000088e0.bin
231ecd51a1cff50bfd801abc4716545c41fa45b8365e8c93c623082f51e0aa01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88E0 11116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.