Malicious PDF — malware analysis report

Static analysis result for SHA-256 cce7aed2a7da8fde…

MALICIOUS

PDF

52.7 KB Created: 2020-08-19 04:29:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 86e2851fc3ddb91af498285ebb8a4cd3 SHA-1: 9a68f8cf33c59d7afcda3d66213137c53068b1f1 SHA-256: cce7aed2a7da8fde56fd0bcd30a0cb8c8426eb5188b080af7f2765eea999b993
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=fizik+mistica+size+guide'. Additionally, it exhibits a PDF link farm behavior, with numerous external links, many of which are hosted on potentially compromised or malicious domains. The document body, though partially corrupted, contains the redirector URL and appears to be a lure for a 'size guide'. No scripts were extracted, but the presence of multiple unknown URLs suggests a delivery mechanism for further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=fizik+mistica+size+guide
    • http://lamizo.insurancehousewales.co.uk/uploads/1/3/1/8/131857419/dilugifolude.pdf
    • http://files.compass4kidz.com/uploads/1/3/2/7/132740285/3929596.pdf
    • http://files.blue-river-vermont.com/uploads/1/3/2/7/132712116/513f61d10de22.pdf
    • http://luwujobi.fsk-midpen.com/uploads/1/3/1/1/131164250/jotesaxaso-retazobaj.pdf
    • https://cdn.shopify.com/s/files/1/0427/9946/4611/files/dancer_in_the_dark.pdf
    • https://cdn.shopify.com/s/files/1/0429/2296/7206/files/zitanolalulavotilusa.pdf
    • https://cdn.shopify.com/s/files/1/0428/2161/5772/files/levizoretexus.pdf
    • https://cdn.shopify.com/s/files/1/0433/0127/3758/files/ameloblastic_fibro_odontoma.pdf
    • https://cdn.shopify.com/s/files/1/0445/3951/0948/files/blueprint_two_student_s_book.pdf
    • https://cdn.shopify.com/s/files/1/0437/9141/7505/files/lumulerufonepozisem.pdf
    • https://cdn.shopify.com/s/files/1/0440/2236/6366/files/jowerizagaxubunowujufokil.pdf
    • https://cdn.shopify.com/s/files/1/0446/7389/2515/files/simple_basic_c_programs.pdf
    • https://cdn.shopify.com/s/files/1/0438/6209/8085/files/xirurapuref.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000083c5.bin
645b7502e76b758afd757124c63107671e9a378db5c89f3e61b309bcc588140e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83C5 4864 bytes
font_01_sfnt_off0000945a.bin
d5f34898662232bcbe96c35c783005fd5b08496f2379c5012da42aa0d9d036bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x945A 10484 bytes
font_02_sfnt_off0000b833.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB833 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.