Malicious PDF — malware analysis report

Static analysis result for SHA-256 d58f2e6420120e72…

MALICIOUS

PDF

40.2 KB Created: 2020-08-30 08:39:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 40f9cfb44e7f834e7cdba6dd9389ca9a SHA-1: 32211658cf3e3b1079b1d9404b3bad558e249eb1 SHA-256: d58f2e6420120e727715350249de6dc21ee6940c85d9aa8bddd9f2b32b6b90ad
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link to a known malicious redirector, disguised with a keyword relevant to 'Mercruiser trim pump'. The document also functions as a link farm, directing users to numerous other PDF files hosted on Shopify. The primary malicious link is https://ttraff.cc/wix?keyword=mercruiser+trim+pump, which is likely intended to lead the user to a phishing or malware distribution site. The presence of a large number of external links suggests a SEO poisoning or link farm tactic.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=mercruiser+trim+pump
    • https://cdn.shopify.com/s/files/1/0432/2800/4507/files/latest_ielts_reading_test_2020.pdf
    • https://cdn.shopify.com/s/files/1/0434/3015/0300/files/nerefafiv.pdf
    • https://cdn.shopify.com/s/files/1/0431/3969/4741/files/18581869005.pdf
    • https://cdn.shopify.com/s/files/1/0431/3346/8839/files/pobigoxejuja.pdf
    • https://static.usrfiles.com/ugd/e5a943_913101d9ba0e4585b6cfa3d7ffbc3b19.pdf
    • https://static.usrfiles.com/ugd/b8c837_4ed7d066837e47e0b4727a39f1bd04c5.pdf
    • https://cdn.shopify.com/s/files/1/0433/5576/6942/files/33014747604.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/54058680795.pdf
    • https://cdn.shopify.com/s/files/1/0438/8762/4344/files/55680332528.pdf
    • https://cdn.shopify.com/s/files/1/0430/9352/4637/files/bitaputisolip.pdf
    • https://static.usrfiles.com/ugd/b8c837_6938b56e0ada4c10b1e4f861b6c83288.pdf
    • https://static.usrfiles.com/ugd/b8c837_304225c57c4f469bb25653ad08b00438.pdf
    • https://static.usrfiles.com/ugd/b8c837_a573635522b04c1a9b154a6f71eb4ae0.pdf
    • https://static.usrfiles.com/ugd/b8c837_2f201087b05741799dd12326d283ecb9.pdf
    • https://static.usrfiles.com/ugd/80c1db_8fbd47989b224feebd74624ca5c5ea65.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f11.bin
60cd8917fcc6e3f75451a9eac64d2151093849e42a40749f0b243f9ae3af72b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F11 4840 bytes
font_01_sfnt_off00006f7a.bin
73200508c07eacc83fdc27a88efded8b6a5115c2bab54efeb3ddbfe3d5c366bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F7A 10752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.