Malicious PDF — malware analysis report

Static analysis result for SHA-256 caeff4065ecb3429…

MALICIOUS

PDF

40.0 KB Created: 2020-09-04 14:44:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 676b6b0b4789be04f245d92389f606b3 SHA-1: 22944469957147e557f0ce543c421b6abba0e559 SHA-256: caeff4065ecb3429ac8f7fc94eb46f679691b81ef4a200942ee29269fffddd5e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with one critical link pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the text 'Carsguide best medium suv' and the malicious URL 'https://ttraff.link/wix?keyword=carsguide+best+medium+suv', suggesting a lure to a malicious site. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=carsguide+best+medium+suv
    • https://static.usrfiles.com/ugd/b90ba1_768ffed3fa6b46d1bf8620fb6d8bb84d.pdf
    • https://static.usrfiles.com/ugd/87fdc7_0497a6d3abfb4f17a5b2753d3f98835c.pdf
    • https://static.usrfiles.com/ugd/b8c837_4e879196731f4fcd8f61cb0a8b758c74.pdf
    • https://static.usrfiles.com/ugd/3a38e0_f63f25914cb7416ea6f00c1193d851ed.pdf
    • https://static.usrfiles.com/ugd/cac9e4_094a8942d79e4e3a9a78cd180c3761d2.pdf
    • https://static.usrfiles.com/ugd/34e21e_bd8f878ed22243959d6b37202a8adf93.pdf
    • https://static.usrfiles.com/ugd/f1780b_8fafb1174b1347849d962e468bf4852d.pdf
    • https://static.usrfiles.com/ugd/b8c837_e3b43b291c5e40c28f94e13b21089103.pdf
    • https://cdn.shopify.com/s/files/1/0431/2711/1841/files/2nd_line_for_pc.pdf
    • https://cdn.shopify.com/s/files/1/0436/1509/2893/files/64807249420.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f98.bin
ad98750cad1a8835ce2f1075be4d46c6dda9423397059e0ef3527c4b16839eb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F98 5216 bytes
font_01_sfnt_off0000713c.bin
db2a626b9da81e4a5029ed0d460ad9ef4d30bad4ed47cbb5734fc52eeef70e31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x713C 10128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.