Malicious PDF — malware analysis report

Static analysis result for SHA-256 c50707360853a706…

MALICIOUS

PDF

39.3 KB Created: 2020-08-23 20:17:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 839b95a2c0d06c0928b4e5aa732c30f1 SHA-1: d27f2b8757b3691e2ced98274ed00c03c7670219 SHA-256: c50707360853a706e03e7f27de5a8ad688cc477e0cea831188f27e7ea491dbc7
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm and a visual download button lure, directing users to a malicious redirector at ttraff.com. The document body, though heavily obfuscated, contains the same malicious URL and references to other PDF files hosted on Shopify. This indicates a social engineering attempt to trick users into visiting malicious infrastructure.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=pediatric+allergic+rhinitis+treatment+guidelines
    • http://weriv.simplysouthernfoodie.com/uploads/1/3/0/7/130775505/labesirarewidanemi.pdf
    • http://jodaxiw.impulsivelust.com/uploads/1/3/0/8/130814187/dereruna-gesemikevuwo-nevoz-vonomarono.pdf
    • http://files.yoganurse.net/uploads/1/3/1/3/131398385/5162747.pdf
    • https://cdn.shopify.com/s/files/1/0431/2891/4074/files/21058187868.pdf
    • https://cdn.shopify.com/s/files/1/0431/6053/5196/files/57848737905.pdf
    • https://cdn.shopify.com/s/files/1/0427/5719/3895/files/xerunebesonatebesoririk.pdf
    • https://cdn.shopify.com/s/files/1/0430/7743/5556/files/tamil_mp4_movies.pdf
    • https://cdn.shopify.com/s/files/1/0433/0681/1560/files/aprendizajes_clave_primaria_segundo_grado.pdf
    • https://cdn.shopify.com/s/files/1/0429/8748/7385/files/26822462370.pdf
    • https://cdn.shopify.com/s/files/1/0431/2625/9876/files/jatulipozusurujokum.pdf
    • https://cdn.shopify.com/s/files/1/0429/8568/5153/files/aparichitudu_cinema_songs.pdf
    • https://cdn.shopify.com/s/files/1/0438/6462/1211/files/segoe_ui_web_font.pdf
    • https://cdn.shopify.com/s/files/1/0430/1740/4573/files/sisolipufipake.pdf
    • https://cdn.shopify.com/s/files/1/0438/4686/0957/files/46778421510.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c46.bin
c66953edf1ce3460ec205fdd43f3fb6b34f5b40828f02bf408ddc086af305e71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C46 5352 bytes
font_01_sfnt_off00006e3e.bin
ac6af6f7057a3065042ef773fc261d0ec928501753fa4f4a6c40a236cec97bbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E3E 9948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.