Malicious PDF — malware analysis report

Static analysis result for SHA-256 d14ba51487626433…

MALICIOUS

PDF

42.5 KB Created: 2020-09-08 03:54:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7cb19c814d4da7d1961e6c89f1f2220a SHA-1: b836fd8f392011a7eaeed26c479b5081f71ec720 SHA-256: d14ba514876264338d50155cdd838c5c3d0c195578487ef759e08bf57052e81f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many pointing to shopify.com domains, which is indicative of a link farm designed to manipulate search engine results. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.club/wix?keyword=bhavesh+joshi+superhero+movie++720p+bluray'. This suggests the document's primary purpose is to redirect users to malicious infrastructure, likely for further exploitation or phishing.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=bhavesh+joshi+superhero+movie++720p+bluray
    • https://cdn.shopify.com/s/files/1/0429/0392/8991/files/matt_stafford_contract.pdf
    • https://cdn.shopify.com/s/files/1/0428/3806/5308/files/lofajakiduwok.pdf
    • https://cdn.shopify.com/s/files/1/0430/5377/7047/files/organelos_citoplasmaticos.pdf
    • https://static.usrfiles.com/ugd/2f3ac6_a66bc6eb013f4f368b8399267676765c.pdf
    • https://static.usrfiles.com/ugd/2ca09c_ad012d7eab1f43d7bb7c13d23054d072.pdf
    • https://static.usrfiles.com/ugd/2b25e8_cf906140133f4549bd6959acdcf0c6d4.pdf
    • https://cdn.shopify.com/s/files/1/0432/5592/2852/files/simple_cover_letter_template.pdf
    • https://cdn.shopify.com/s/files/1/0440/6129/4757/files/figawerenerelaza.pdf
    • https://cdn.shopify.com/s/files/1/0431/4795/2292/files/33463921857.pdf
    • https://static.usrfiles.com/ugd/de65f7_ecefabeff28847e294dba60d1f7f7725.pdf
    • https://static.usrfiles.com/ugd/9e41f0_2727df5f21e64aa89623f7f80bfeda69.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006722.bin
6cd1cbe96af5a71db8c90b154f4f1a37a72b45ac31d285f01c432ae0e72903db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6722 5840 bytes
font_01_sfnt_off00007ae8.bin
5be67cf039fb7700b90c753cbd3c3c0efa9fb656c27b2adf01a72eb8519e6540		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AE8 10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.