Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7127ec0e0654502…

MALICIOUS

PDF

44.8 KB Created: 2020-08-11 20:15:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 643782be911ace8acaeed96c9ef73e97 SHA-1: 581a32f81056daa2687938c8210987f150c11363 SHA-256: c7127ec0e065450270e3e5924fdf8cfb30740a60f64833197929b2088d4a2210
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. The document body also contains this URL, along with numerous other links to Shopify-hosted PDFs, suggesting a link farm designed for SEO manipulation. The primary malicious link likely leads to further malicious content or phishing attempts.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=best+self+journal+pdf+download
    • http://files.bluelightplayers.com/uploads/1/3/1/6/131636644/4697924.pdf
    • http://files.kellyseyelashextensions.com/uploads/1/3/1/4/131406082/lozulivaf_sutuvi_turuzi.pdf
    • http://files.clearingconversations.com/uploads/1/3/1/4/131438641/7524430.pdf
    • http://files.myfaeryoracle.com/uploads/1/3/1/4/131454436/2100024.pdf
    • https://cdn.shopify.com/s/files/1/0434/9722/6402/files/rebem.pdf
    • https://cdn.shopify.com/s/files/1/0437/8994/2945/files/rental_application_form.pdf
    • https://cdn.shopify.com/s/files/1/0430/6750/6845/files/56417432999.pdf
    • https://cdn.shopify.com/s/files/1/0431/6112/5025/files/capitalization_and_punctuation_worksheets_2nd_grade.pdf
    • https://cdn.shopify.com/s/files/1/0429/1526/6713/files/xujubazedon.pdf
    • https://cdn.shopify.com/s/files/1/0428/8865/9100/files/applied_statistics_and_research_methods.pdf
    • https://cdn.shopify.com/s/files/1/0430/7045/5965/files/auden_poems.pdf
    • https://cdn.shopify.com/s/files/1/0432/8462/7624/files/call_center_quality_assurance_interview_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0432/0870/4164/files/sisamumokajini.pdf
    • https://cdn.shopify.com/s/files/1/0428/2040/3356/files/bobemu.pdf
    • https://cdn.shopify.com/s/files/1/0430/3106/8825/files/penndot_address_change.pdf
    • https://cdn.shopify.com/s/files/1/0429/2801/3475/files/bevalij.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007153.bin
2b9fbd69bc651d14f5649cadefe5d52344025b2a05eb4fbe7dd33d7f2bb628ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7153 5252 bytes
font_01_sfnt_off00008353.bin
7ff2498453a2538c9b11251740def26789a9b63998643a585a845e4cd669748b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8353 10292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.