Malicious PDF — malware analysis report

Static analysis result for SHA-256 b83b23a9a1c65a38…

MALICIOUS

PDF

47.1 KB Created: 2020-09-05 04:17:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 89729ed7c4e44d0f23c6ec21ef536e06 SHA-1: 70a70ea983aef20e3ce66782683977cd3de797c9 SHA-256: b83b23a9a1c65a38a996a938cb2c059ece2154c87a242655b57a0a9058aa05a9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with a primary malicious redirector URL embedded in the document body. This URL, 'https://ttraff.link/wix?keyword=merry+christmas+baby+bruce+springsteen+sheet+music', is designed to redirect users to potentially harmful content. The document's content and structure suggest a phishing or malware distribution attempt disguised as legitimate content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=merry+christmas+baby+bruce+springsteen+sheet+music
    • https://cdn.shopify.com/s/files/1/0435/6482/6773/files/11590813951.pdf
    • https://cdn.shopify.com/s/files/1/0436/5778/9593/files/nitomed.pdf
    • https://cdn.shopify.com/s/files/1/0431/1243/1770/files/etiologia_de_evento_vascular_cerebral.pdf
    • https://cdn.shopify.com/s/files/1/0431/6083/0116/files/feeling_heart_mp3.pdf
    • https://cdn.shopify.com/s/files/1/0428/1961/6935/files/90791928970.pdf
    • https://cdn.shopify.com/s/files/1/0436/7309/2246/files/fifufo.pdf
    • https://cdn.shopify.com/s/files/1/0432/1666/6786/files/84237127063.pdf
    • https://cdn.shopify.com/s/files/1/0430/5915/1009/files/wezivofugogo.pdf
    • https://static.usrfiles.com/ugd/0c41e7_3bd9104fc37a48ec88061af6ec18dc31.pdf
    • https://static.usrfiles.com/ugd/3aca14_5be99c68e4174d1e8a86290e59b34516.pdf
    • https://static.usrfiles.com/ugd/6f9b04_fe1fb190a25340f19eb3a8cd68cfcd8d.pdf
    • https://static.usrfiles.com/ugd/b58d21_0920ff1e986942d29f13194231dd20a8.pdf
    • https://static.usrfiles.com/ugd/76de1a_7ce2b4e6966d47f0b3d434463e423784.pdf
    • https://static.usrfiles.com/ugd/18122d_ae5a8c05b8b54b45985af85a99392fc9.pdf
    • https://static.usrfiles.com/ugd/0c268c_cd071c4db9bc41bbaac8d620385e1049.pdf
    • https://static.usrfiles.com/ugd/b8c837_ce4376c3d3a342f391a01856abd891d4.pdf
    • https://static.usrfiles.com/ugd/921909_d430417e236542e7b43dbca80927a544.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000785d.bin
2f80dbeddeb35cc6d896ce059dfdf73baad202b1d3ae820e856bccc36d39265c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x785D 5564 bytes
font_01_sfnt_off00008b2f.bin
304470cc4044faf2ba22981244bdc45a38047c48e15916b7219a54115e4188ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B2F 10476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.