Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2ae73fd6da9c01b…

MALICIOUS

PDF

44.2 KB Created: 2020-08-15 05:25:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ebff38195c91f1d159f203d37650fc7 SHA-1: d144459c198e23be55de7249f7991bfb5ced2223 SHA-256: b2ae73fd6da9c01bb2c6a44ecfa1fbf827125337a44072f3e20f8c7cee5e4769
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, a technique often used to create link farms for SEO manipulation or to obscure malicious destinations. One of the embedded URLs, 'https://ttraff.com/wb?keyword=matthew%20arnold%20the%20study%20of%20poetry%20pdf', is identified as a malicious redirector. While many other links point to benign Shopify domains, the presence of the malicious redirector indicates a phishing or malware distribution attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=matthew%20arnold%20the%20study%20of%20poetry%20pdf
    • http://files.jericosoundsystems.com/uploads/1/3/1/4/131438111/3776236.pdf
    • http://bitase.corporatechilllout.com/uploads/1/3/1/4/131407511/5c7836e4a0805.pdf
    • http://files.varsity-prep.com/uploads/1/3/0/8/130813054/5058841.pdf
    • http://zesamuw.sowheetscakeshop.com/uploads/1/3/0/7/130775795/9961316.pdf
    • http://files.hilltopbusinessassociationdavenport.com/uploads/1/3/1/4/131452935/1659712.pdf
    • https://cdn.shopify.com/s/files/1/0434/9699/7030/files/visualforce_developer_guide.pdf
    • https://cdn.shopify.com/s/files/1/0433/8787/9580/files/69653439611.pdf
    • https://cdn.shopify.com/s/files/1/0437/8935/3109/files/xujenumovupavat.pdf
    • https://cdn.shopify.com/s/files/1/0430/0704/9877/files/jizunikuvelegagam.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/beloromawodosuxaso.pdf
    • https://cdn.shopify.com/s/files/1/0430/2890/6138/files/mopemezevefezejenudo.pdf
    • https://cdn.shopify.com/s/files/1/0431/7826/2692/files/xuzajurelinurasopu.pdf
    • https://cdn.shopify.com/s/files/1/0431/1384/0793/files/60263603628.pdf
    • https://cdn.shopify.com/s/files/1/0437/7221/5448/files/68281197419.pdf
    • https://cdn.shopify.com/s/files/1/0446/2844/3299/files/comments_in_c.pdf
    • https://cdn.shopify.com/s/files/1/0429/9803/8679/files/14030825880.pdf
    • https://cdn.shopify.com/s/files/1/0438/9827/3944/files/29305022055.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ea2.bin
da563d979af8b63b31c72332eea5c747fdbad3613ab37756dadd14daef8aea0f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EA2 5328 bytes
font_01_sfnt_off000080db.bin
c981a9dcfa3e8aad814b93251eea0ec80a741465a3e2308f3eb40fadb0f20c59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80DB 10236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.