Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6f722501676c775…

MALICIOUS

PDF

37.0 KB Created: 2020-08-15 12:38:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8e6c46a0f456131a8d15469f6346c68d SHA-1: 06a225244f60809b6cdbfb08f488bce2a823d732 SHA-256: b6f722501676c775aaec14d630342494e19e4a07dbfb073a459c26facd86f6ca
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, a technique often used to create SEO spam or redirect users to malicious sites. One critical heuristic identified a link to a known malicious redirector infrastructure at 'https://ttraff.com/pify?keyword=perforated+steel+sheet+mesh'. The document body, though heavily obfuscated, also contains this URL, reinforcing the malicious intent. The presence of numerous other PDF links, many hosted on subdomains of various domains, further supports the link farm attack pattern.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=perforated+steel+sheet+mesh
    • http://jopemigi.jordansidfield.com/uploads/1/3/0/8/130874038/jurit.pdf
    • http://files.savecockatoos.org/uploads/1/3/1/6/131606186/duximokazazekad_tabajo_ruselamiditagaz.pdf
    • http://pesokikun.airhearthealing.com/uploads/1/3/2/8/132814930/vevufig_femesumo.pdf
    • http://files.jordandeadseaminerals.com/uploads/1/3/2/3/132302995/jelubabem_fetijum_rixinofutuz_fomakinewo.pdf
    • https://cdn.shopify.com/s/files/1/0430/9948/8410/files/81998373027.pdf
    • https://cdn.shopify.com/s/files/1/0433/1231/6584/files/charlotte_s_web_reading_studios.pdf
    • https://cdn.shopify.com/s/files/1/0430/6858/8194/files/32686828457.pdf
    • https://cdn.shopify.com/s/files/1/0432/2246/6720/files/29569416898.pdf
    • https://cdn.shopify.com/s/files/1/0428/4976/3494/files/80724768404.pdf
    • https://cdn.shopify.com/s/files/1/0431/7931/1268/files/74581539025.pdf
    • https://cdn.shopify.com/s/files/1/0438/3775/1456/files/articles_exercises_with_answers_for_grade_4.pdf
    • https://cdn.shopify.com/s/files/1/0428/7964/7903/files/nosler_reloading_manual.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/46605756913.pdf
    • https://cdn.shopify.com/s/files/1/0439/4346/1032/files/zuder.pdf
    • https://cdn.shopify.com/s/files/1/0451/3621/6229/files/wii_point_generator_no_survey.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000051f8.bin
09749d7bc6dc4381b08c077e52f814502c21623c1f18f8813b00f9e8e8a3755a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51F8 5148 bytes
font_01_sfnt_off00006349.bin
9968223e86aba45367a35e8a5d1d28ab59ec4b568d05449b1eb26c2a64c6a02f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6349 10720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.