Malicious PDF — malware analysis report

Static analysis result for SHA-256 c456aa071c65cacb…

MALICIOUS

PDF

39.4 KB Created: 2020-08-31 16:19:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f18722b37cbf8971547f07b87aaad2b SHA-1: ae6e6d0a064140a98d5d4c692c50d347e180855b SHA-256: c456aa071c65cacbffdf0364ee1400a6829d700aa3e6d6f0ed8167796548efbf
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to its inclusion of a large number of external links, a technique often used to redirect users to malicious sites. One such link, https://ttraff.cc/pify?keyword=adj+exercise+pdf, is flagged as a known malicious redirector. The document body, though heavily obfuscated, also contains this URL, reinforcing the malicious intent. The file's structure and the presence of numerous links suggest a link farm or redirection attack.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=adj+exercise+pdf
    • https://static.usrfiles.com/ugd/b8c837_98c42a7bebad40b3bb10e7c6e3deba65.pdf
    • https://static.usrfiles.com/ugd/a382ee_3700e2533ed84595bf693df65b99f36b.pdf
    • https://static.usrfiles.com/ugd/b8c837_c1e374d10a264b2bbbd3c903cc4ae942.pdf
    • https://static.usrfiles.com/ugd/dc98cc_2563def69ab242e1b44b348616125e82.pdf
    • https://cdn.shopify.com/s/files/1/0440/3865/2069/files/72642307386.pdf
    • https://cdn.shopify.com/s/files/1/0434/5302/2369/files/maternity_dress_patterns.pdf
    • https://cdn.shopify.com/s/files/1/0432/1660/1249/files/tujazuro.pdf
    • https://cdn.shopify.com/s/files/1/0432/0624/6557/files/al_quran_30_juz_dan_terjemahan_bahasa_indonesia.pdf
    • https://cdn.shopify.com/s/files/1/0432/4045/6360/files/94905752364.pdf
    • https://cdn.shopify.com/s/files/1/0437/7519/7333/files/hearthstone_kobolds_and_catacombs_guide_priest.pdf
    • https://cdn.shopify.com/s/files/1/0429/5308/0985/files/23010356978.pdf
    • https://cdn.shopify.com/s/files/1/0437/6585/8455/files/60597312166.pdf
    • https://cdn.shopify.com/s/files/1/0435/2511/1972/files/14522157645.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d1b.bin
ec6579c698d7aed63a08de4a5a418e704a79c42a151d5fb32b9f10998c696a75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D1B 5040 bytes
font_01_sfnt_off00006e63.bin
9962e826dbb23977cdbdba1edb90dbd1a114773b6604720faaaeab0347b7c8f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E63 10156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.