Malicious PDF — malware analysis report

Static analysis result for SHA-256 d57bed99d2ec3eb3…

MALICIOUS

PDF

37.4 KB Created: 2020-08-09 00:20:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ffd944aef7f62907d3871f5dd29970a7 SHA-1: 795fade44c9cf90600b27a1deace843aaa005b8b SHA-256: d57bed99d2ec3eb3e1a121e6a1c915e781e4a51f45b16b32f555cd6482998220
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, including a critical redirector link to ttraff.cc, suggesting a phishing or content-luring attempt. The document body, though heavily obfuscated, contains text related to 'pdf download' and the malicious URL, reinforcing the attack pattern. The presence of a mass external PDF link farm further indicates malicious intent to distribute or redirect users to potentially harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=novel+ceros+dan+batozar+pdf+download
    • http://files.geraldinemalone.ca/uploads/1/3/2/6/132681969/wetivuwozilamix.pdf
    • http://talobaris.infosphereab.com/uploads/1/3/1/3/131383283/nudowiw.pdf
    • http://files.cocopahfarms.com/uploads/1/3/1/8/131856771/fovuxun-punoliduwuvuz-mubuwakikifugab-bejojidosoru.pdf
    • http://files.whenthingsgowrongmovie.com/uploads/1/3/1/3/131380258/9541314.pdf
    • https://cdn.shopify.com/s/files/1/0432/6424/5925/files/62534331217.pdf
    • https://cdn.shopify.com/s/files/1/0437/8427/4081/files/ropixozejijunirasuwuzage.pdf
    • https://cdn.shopify.com/s/files/1/0437/8345/4872/files/refego.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zexula.pdf
    • https://cdn.shopify.com/s/files/1/0432/6857/1294/files/76787502427.pdf
    • https://cdn.shopify.com/s/files/1/0437/6556/3549/files/dadulivizosag.pdf
    • https://cdn.shopify.com/s/files/1/0431/5634/0890/files/16019715857.pdf
    • https://cdn.shopify.com/s/files/1/0434/2428/4824/files/mixogatedes.pdf
    • https://cdn.shopify.com/s/files/1/0427/6482/8838/files/62504875119.pdf
    • https://cdn.shopify.com/s/files/1/0431/0056/9753/files/wefinezapatexumex.pdf
    • https://cdn.shopify.com/s/files/1/0433/1434/8197/files/99147137967.pdf
    • https://cdn.shopify.com/s/files/1/0431/9313/9364/files/dodge_ram_service_manual_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0429/9823/5289/files/debuv.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000052fd.bin
167fbe589d5170bff5ca1d3f8c1ddf75470e83276d539307cc53d49fbd5617e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52FD 5460 bytes
font_01_sfnt_off000065be.bin
53381541171ae641590e3e801e19bec7790be6fcd48ddaf90fb35322a7fc85d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65BE 10148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.