Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9d064018c779ca0…

MALICIOUS

PDF

49.1 KB Created: 2020-08-19 22:06:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 930e25d6daa3202b5c0122e93e25128c SHA-1: 72d83a087cb8a15a66dd8c9a0f1856531372f491 SHA-256: b9d064018c779ca0fd87e554762a88d84e26a032af67e41d0282cd7f95dc6584
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious File: Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.cc'. Additionally, it exhibits a PDF link farm heuristic, with numerous links to PDFs hosted on Shopify. The document body, though heavily obfuscated, contains the same redirector URL. This suggests a campaign focused on distributing malicious content or phishing through a network of linked PDFs, potentially for SEO manipulation or to lure users to malicious sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=borbaad+bengali+song
    • http://sakido.highstrungdurham.com/uploads/1/3/1/4/131437981/taliteviro.pdf
    • https://cdn.shopify.com/s/files/1/0436/0008/5160/files/72244918067.pdf
    • https://cdn.shopify.com/s/files/1/0436/3298/4222/files/mathematics_for_commerce_economics_and_business.pdf
    • https://cdn.shopify.com/s/files/1/0431/0423/9783/files/yugioh_gx_episode_list.pdf
    • https://cdn.shopify.com/s/files/1/0452/4562/8578/files/73730874758.pdf
    • https://cdn.shopify.com/s/files/1/0429/2021/4681/files/depopadufu.pdf
    • https://cdn.shopify.com/s/files/1/0437/2729/0518/files/30472594276.pdf
    • https://cdn.shopify.com/s/files/1/0427/5548/9948/files/abbyy_transformer_3._0_full.pdf
    • https://cdn.shopify.com/s/files/1/0437/7218/2685/files/53832114767.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zukukujumifuxutage.pdf
    • https://cdn.shopify.com/s/files/1/0432/5349/8014/files/19954403618.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c40.bin
8603b947669d0dc5bb684df6701b1d7957cfa715789239fe455848cad513beac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C40 5180 bytes
font_01_sfnt_off00006de2.bin
904a6f252faa38ab6f8ba87977c8a239d863fcaa6ee561c6341e206e7100666b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DE2 8396 bytes
font_02_sfnt_off00008874.bin
2450c584c8f27c66e3af1b2d39f99c16bf576eb2fe5e77d797b72f3f138d679a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8874 15208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.