Malicious PDF — malware analysis report

Static analysis result for SHA-256 c230919db397c33b…

MALICIOUS

PDF

49.0 KB Created: 2020-08-29 00:40:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 602acbff54a08f03e90134068bd2115b SHA-1: 5d3d3022144e5777bb90ac2029280de4588ea01d SHA-256: c230919db397c33b183243050e3cbaa736dadbbc11050a36eb3664f95a45eec5
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged for containing a malicious redirector link pointing to 'ttraff.com', which is associated with malicious activity. Additionally, it was identified as a PDF link farm, with numerous links pointing to Shopify-hosted PDFs, suggesting an attempt to manipulate search engine results or distribute further malicious content. The document body contains placeholder text and metadata, but the primary malicious functionality appears to be driven by the embedded malicious URL.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=the+official+sat+study+guide+2018+edition+answer+key
    • https://cdn.shopify.com/s/files/1/0433/2827/4582/files/21013297724.pdf
    • https://cdn.shopify.com/s/files/1/0434/2605/4306/files/faxofisemifelugobilupam.pdf
    • https://cdn.shopify.com/s/files/1/0434/8346/3832/files/61271638383.pdf
    • https://cdn.shopify.com/s/files/1/0444/4828/4839/files/change_file_size_free.pdf
    • https://cdn.shopify.com/s/files/1/0438/0088/7457/files/80096041395.pdf
    • https://static.usrfiles.com/ugd/b8c837_b4cc2e1d8739428d80427be9b2dc7698.pdf
    • https://static.usrfiles.com/ugd/b8c837_0c48052946144b0ab0da24408f636f6e.pdf
    • https://static.usrfiles.com/ugd/b8c837_ed84d129d6d0410a94a5d885818b2d5d.pdf
    • https://static.usrfiles.com/ugd/b8c837_56c778c42d384d11aaec11678f32ac8f.pdf
    • https://static.usrfiles.com/ugd/b8c837_03f9453abb654258b0985e74dfcd73f5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000073b6.bin
e76a7aaed0bbb474d23baf6e8a1bbc10ebe0f5d00a573ca74b526f1def068614		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73B6 6012 bytes
font_01_sfnt_off00008831.bin
01d89f79120567c851dea0caa5b5ee7547c8211069383f1d59f8dd00f92a958c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8831 2464 bytes
font_02_sfnt_off0000930c.bin
0f8f90d3ae86a9a3ea57f87565b838db2e6b23948271638a7babfbd892a5e6a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x930C 10528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.