Malicious PDF — malware analysis report

Static analysis result for SHA-256 b3d6f758cd757a5f…

MALICIOUS

PDF

41.7 KB Created: 2020-08-21 19:48:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 83449574e57eaa6cd99eff7d3f36e0be SHA-1: 675b1548bfa40d6d90044a91ddf8f8c237bb82be SHA-256: b3d6f758cd757a5fd919e01b05f17ff4b5072fad10477668faa1c5f36601d6de
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to Shopify domains, but one critical link redirects to a known malicious domain, ttraff.com. The document body, though heavily obfuscated, contains text related to 'building images free' and the malicious URL, suggesting a lure to a potentially harmful site. The presence of a link farm and a redirector indicates an attempt to obscure the final malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=building+images+free
    • http://vumedova.peer-cell.org/uploads/1/3/1/3/131380771/8703936.pdf
    • http://rofuwesa.projectgust.org/uploads/1/3/1/3/131398140/57545b769d.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lobusine.pdf
    • https://cdn.shopify.com/s/files/1/0432/5307/2022/files/7508476550.pdf
    • https://cdn.shopify.com/s/files/1/0432/9386/8187/files/11328287844.pdf
    • https://cdn.shopify.com/s/files/1/0437/3859/5482/files/ziparan.pdf
    • https://cdn.shopify.com/s/files/1/0438/1740/2530/files/app_backup_apk4fun.pdf
    • https://cdn.shopify.com/s/files/1/0430/7301/1863/files/joroviwerowoxadomijetaxir.pdf
    • https://cdn.shopify.com/s/files/1/0429/0566/5703/files/jaberetozub.pdf
    • https://cdn.shopify.com/s/files/1/0427/7708/4070/files/dagemajijod.pdf
    • https://cdn.shopify.com/s/files/1/0430/9912/7959/files/edital_prf_verticalizado.pdf
    • https://cdn.shopify.com/s/files/1/0433/2666/8952/files/17833456373.pdf
    • https://cdn.shopify.com/s/files/1/0439/3825/0910/files/minute_maid_seating_guide.pdf
    • https://cdn.shopify.com/s/files/1/0437/6962/6781/files/morurusez.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ee0.bin
7d07548343828e7f9ca3da2fb892474d574e14081a90174d8b8b3274c630f9ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EE0 5276 bytes
font_01_sfnt_off000070b0.bin
64f18812eb155fcf77563ec580c4093fe4af15ba73a89d366789d7cbf13eff71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70B0 13216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.