Malicious PDF — malware analysis report

Static analysis result for SHA-256 be0c051be6a82ad2…

MALICIOUS

PDF

50.4 KB Created: 2020-08-30 06:01:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4cdf6f05e520082b79aa7146139d322e SHA-1: b200846ae46d12995411ebdf6dca3e6fcad38fbd SHA-256: be0c051be6a82ad220cbfc3a5255fff201a37b0f6fc8ba7477b7da34d25da21e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a redirector service. The primary heuristic indicates that these links lead to known malicious infrastructure. The document body, though heavily obfuscated, contains the URL https://ttraff.cc/wix?keyword=fatal+bullet+respec, which is flagged as malicious. The presence of a link farm suggests an attempt to distribute malicious content or phishing pages.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=fatal+bullet+respec
    • https://cdn.shopify.com/s/files/1/0437/8905/8206/files/mexekoxefegawipolil.pdf
    • https://cdn.shopify.com/s/files/1/0433/9059/9319/files/48555581327.pdf
    • https://cdn.shopify.com/s/files/1/0429/3482/9223/files/nales.pdf
    • https://cdn.shopify.com/s/files/1/0435/8438/9275/files/11th_zoology_practical_download.pdf
    • https://cdn.shopify.com/s/files/1/0427/8019/7031/files/30529821952.pdf
    • https://cdn.shopify.com/s/files/1/0437/1916/4058/files/neural_network_cost_function.pdf
    • https://cdn.shopify.com/s/files/1/0436/3137/8590/files/43290687254.pdf
    • https://cdn.shopify.com/s/files/1/0429/6127/2988/files/76856189671.pdf
    • https://cdn.shopify.com/s/files/1/0437/2905/9989/files/cestina_express_1_download.pdf
    • https://cdn.shopify.com/s/files/1/0430/1442/2687/files/spiderman_symbol_coloring_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0434/6360/6437/files/70098707281.pdf
    • https://cdn.shopify.com/s/files/1/0428/9839/1196/files/evento_cerebrovascular_isquemico_2020.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000073e2.bin
bcf3289db904bfd7e69e0627ed493bbeeaad854b17e67049cfc5011e2553bded		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73E2 5684 bytes
font_01_sfnt_off00008794.bin
4839ae5e649dcd615a94761eb2a40033c3cf07df26ade15a4abcfb3e664d1ac7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8794 5020 bytes
font_02_sfnt_off000098b0.bin
a672175aaeb6eab253a7d4f209c280085209d449bc687f8b3019bf98e7899e2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98B0 10640 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.