Malicious PDF — malware analysis report

Static analysis result for SHA-256 b63fd88651690468…

MALICIOUS

PDF

40.7 KB Created: 2020-08-24 13:15:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 48ac900b8994d6faee619abc79c3d3df SHA-1: da0351f4df8949dee9d9bc037d9538ce4713310b SHA-256: b63fd88651690468e16d2cecddbffe1051bd17c8e6bb4a33339d3e0f28c10608
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link disguised as a "carrom pool game hack apk" which redirects to a known malicious URL. The document also exhibits characteristics of a link farm, with numerous embedded URLs pointing to external resources, many of which are hosted on Shopify. The primary malicious URL is ttraff.cc, identified as a redirector. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=carrom+pool+game+hack+apk
    • http://zilew.nestresidential.co.nz/uploads/1/3/2/7/132710589/8217301.pdf
    • https://cdn.shopify.com/s/files/1/0433/1234/9334/files/biotechnology_definition.pdf
    • https://cdn.shopify.com/s/files/1/0428/7807/5036/files/54127863415.pdf
    • https://cdn.shopify.com/s/files/1/0435/3504/0664/files/70667836912.pdf
    • https://cdn.shopify.com/s/files/1/0430/4168/5665/files/50189133676.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/78108387577.pdf
    • https://cdn.shopify.com/s/files/1/0434/7530/4612/files/fault_line_map.pdf
    • https://cdn.shopify.com/s/files/1/0434/8506/9477/files/simoru.pdf
    • https://cdn.shopify.com/s/files/1/0435/2756/9576/files/somediwewemozeluwixepopu.pdf
    • https://cdn.shopify.com/s/files/1/0437/6661/2130/files/mikemijirezagunopugaxur.pdf
    • https://cdn.shopify.com/s/files/1/0464/6354/9592/files/rasozexufixilawi.pdf
    • https://cdn.shopify.com/s/files/1/0437/7794/9848/files/76144010072.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000623e.bin
559aaacb8d8a7e5c694d809d24fc10917c7883cc16cff97e99efed72ad0b8e07		 pdf-font-stream PDF embedded font (sfnt) at offset 0x623E 5140 bytes
font_01_sfnt_off0000739b.bin
af8f92bc923bfd5fb94f9655a34c23078aae114ef8864f97b1e027fa6850346f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x739B 10280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.