Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba40cf9a4cba4779…

MALICIOUS

PDF

40.5 KB Created: 2020-09-06 17:53:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 95da813fe67b0c990671ce3d7edc21cc SHA-1: 82d208eca802c33cfe3bc7e47cb6a107c1c204ba SHA-256: ba40cf9a4cba4779dc67bc5e32eff186fd6e00e4d9f4a5bb97cd21bbe7d8ab80
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, many of which point to external PDF files hosted on Shopify. One critical heuristic indicates these links are part of a link farm, likely for SEO manipulation. Another critical heuristic flags a link to a known malicious redirector. The primary malicious URL identified is https://ttraff.me/wix?keyword=linux+chrome++folder, which is likely used to redirect users to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=linux+chrome++folder
    • https://cdn.shopify.com/s/files/1/0434/7750/0057/files/66832490932.pdf
    • https://cdn.shopify.com/s/files/1/0434/2880/6807/files/jawaraluvanaxeronojebir.pdf
    • https://cdn.shopify.com/s/files/1/0438/4741/8016/files/37939855755.pdf
    • https://cdn.shopify.com/s/files/1/0432/6935/7728/files/pdf_to_word_converter_download_for_windows_10.pdf
    • https://cdn.shopify.com/s/files/1/0432/4222/5831/files/wojiv.pdf
    • https://cdn.shopify.com/s/files/1/0434/9473/6037/files/jejotodubumexedusenoxapuj.pdf
    • https://cdn.shopify.com/s/files/1/0437/0428/7383/files/tewimu.pdf
    • https://cdn.shopify.com/s/files/1/0432/9488/4000/files/vejegobosazexazufivazobe.pdf
    • https://static.usrfiles.com/ugd/52b593_9dc4bb73eb0f4ea3959c184d7c12c319.pdf
    • https://static.usrfiles.com/ugd/96768c_245066899ab348b9a49fd4115fa5ddda.pdf
    • https://static.usrfiles.com/ugd/47b1e8_5aa39b1e67334519935ff9b272028ca8.pdf
    • https://static.usrfiles.com/ugd/739437_7b52c313203a4277b544f939ab29c6a9.pdf
    • https://static.usrfiles.com/ugd/fb83f1_2a38b2c8fcfe486487b0fba03cf37e90.pdf
    • https://static.usrfiles.com/ugd/628a76_f1177b7d58254500b78f4ce91353bcd1.pdf
    • https://static.usrfiles.com/ugd/d38238_facf2af6391e4a5ca4df13effd9ba608.pdf
    • https://static.usrfiles.com/ugd/7598fa_9a5b372e109d485f92ea9d09e0248dc7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006172.bin
6d042446791e650da9addcd677dda06236ac3bb56034dd1b279b0a83745d5876		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6172 4884 bytes
font_01_sfnt_off000071e9.bin
0a9322e24e9aae1575403fbb4d19f4ce1304bda8bff0b76f3ce0ffaf76d71e8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71E9 10420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.