Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7641161db909a85…

MALICIOUS

PDF

35.3 KB Created: 2020-08-27 17:47:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f42127d2356d40a6ea324dc331d9a9e SHA-1: 8cc5d314e42020370f6a6cdbb72c77a717266aae SHA-256: c7641161db909a8539bb1fbae8f8a65ee523071e2260f06765800ecc71b06bed
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/pify?keyword=il+pi%25C3%25B9+vicino+coinstar+vicino+a+me'. Additionally, it exhibits a PDF link farm, with numerous links to PDFs hosted on Shopify. This suggests an attempt to manipulate search engine results or to obscure the true malicious destination. No scripts were extracted, and the document body is largely unreadable binary data.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=il+pi%25C3%25B9+vicino+coinstar+vicino+a+me
    • http://zeziga.aispng.org/uploads/1/3/2/8/132814930/55bafb26dbaf.pdf
    • https://cdn.shopify.com/s/files/1/0431/8609/4248/files/11016104032.pdf
    • https://cdn.shopify.com/s/files/1/0429/0389/6230/files/2191217901.pdf
    • https://cdn.shopify.com/s/files/1/0439/2783/0696/files/monty_python_lumberjack.pdf
    • https://cdn.shopify.com/s/files/1/0432/6254/1982/files/binanotivilotopadavezex.pdf
    • https://cdn.shopify.com/s/files/1/0430/9785/0017/files/85307742603.pdf
    • https://cdn.shopify.com/s/files/1/0432/7541/9798/files/xomudi.pdf
    • https://cdn.shopify.com/s/files/1/0448/1895/6449/files/ratof.pdf
    • https://cdn.shopify.com/s/files/1/0429/8221/1733/files/bubabiwuwaboxodafuni.pdf
    • https://cdn.shopify.com/s/files/1/0436/9291/6886/files/one_way_anova_example_problems_and_solutions.pdf
    • https://cdn.shopify.com/s/files/1/0435/8746/9471/files/44339245046.pdf
    • https://cdn.shopify.com/s/files/1/0432/6916/1110/files/gunks_guide_services.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000049dd.bin
9160de0b95ed6839f2cef62edd886d2e3ef464be1e2d1d2c4f086e03af241d12		 pdf-font-stream PDF embedded font (sfnt) at offset 0x49DD 5192 bytes
font_01_sfnt_off00005b3a.bin
a28523231f64d125aeaf9a3e7f1cfebad31d15677381d246dc87c3aa19685d88		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B3A 10640 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.