Malicious PDF — malware analysis report

Static analysis result for SHA-256 b3a5eb54033c4602…

MALICIOUS

PDF

45.0 KB Created: 2020-08-18 13:20:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b36136bd7dce0fa90622c04bba859c5 SHA-1: ee7a66354789d35ccd28b55f1ec49b5e7d9fd4be SHA-256: b3a5eb54033c46026c4f8fa2d808999b2a42acda1c56bdd2ebadc3c717602260
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to Shopify domains hosting seemingly benign PDFs. However, one critical heuristic identified a link to a known malicious redirector at 'ttraff.com'. This suggests a phishing or scam attempt, using a link farm to obscure the malicious destination. The document body itself contains garbled text but includes the target URL, reinforcing the malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=bezafibrato+200+mg+bula+pdf
    • http://files.lusherartsandinnovation.com/uploads/1/3/1/4/131454317/xesuvelabixezim-fenodifedaxew-rofulovupofopi-texoruxej.pdf
    • http://files.lmican.com/uploads/1/3/0/7/130775182/17f3c3b0.pdf
    • https://cdn.shopify.com/s/files/1/0431/2724/2906/files/guvupixajemakaveba.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xikidewutuxazumal.pdf
    • https://cdn.shopify.com/s/files/1/0429/3633/6540/files/badminton_tournament_rules_and_regulations.pdf
    • https://cdn.shopify.com/s/files/1/0429/5612/8412/files/pedugajuwomuvivo.pdf
    • https://cdn.shopify.com/s/files/1/0433/6861/1998/files/aaron_burr_sir_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0433/4937/7177/files/xarufenudumaxudajotomabup.pdf
    • https://cdn.shopify.com/s/files/1/0431/4634/6657/files/fundamentals_of_business_law_barron.pdf
    • https://cdn.shopify.com/s/files/1/0439/1629/6360/files/les_bonnes_pratiques_cliniques.pdf
    • https://cdn.shopify.com/s/files/1/0434/4433/8838/files/42683107460.pdf
    • https://cdn.shopify.com/s/files/1/0431/4424/9504/files/ruxiwo.pdf
    • https://cdn.shopify.com/s/files/1/0434/8982/0836/files/bodmas_rule_in_maths_examples.pdf
    • https://cdn.shopify.com/s/files/1/0433/4885/2894/files/jay_z_anything.pdf
    • https://cdn.shopify.com/s/files/1/0429/6255/0940/files/sahaja_yoga_chakras.pdf
    • https://cdn.shopify.com/s/files/1/0433/6621/9941/files/55593865696.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000070d1.bin
f328f5e34b73eac4350dcc002e7e45457a52591c3fd3c1e4cd630e11a9559154		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70D1 5696 bytes
font_01_sfnt_off0000841d.bin
188034dd7e0339104fc42fde1e1dbd629c126767061d06adaa58e2a6b745a9f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x841D 10248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.