Malicious PDF — malware analysis report

Static analysis result for SHA-256 d60797bb60b5165c…

MALICIOUS

PDF

48.0 KB Created: 2020-08-30 05:18:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3f1d14a0dfdc1141e38ebbc55465bcd6 SHA-1: 3a2bd495e2dcbc36686ce1a5ce7766970f2066c6 SHA-256: d60797bb60b5165c597768825a66e5186ba0b814d821a9912dae76cada25bd7a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=herramientas+de+control+de+calidad+libro'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, including one to 'https://cdn.shopify.com/s/files/1/0431/4637/9426/files/kidew.pdf'. The document body, though partially corrupted, suggests a lure related to 'Herramientas de control de calidad libro' (Quality control tools book). The combination of these factors indicates a phishing or redirection attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=herramientas+de+control+de+calidad+libro
    • https://cdn.shopify.com/s/files/1/0431/4637/9426/files/kidew.pdf
    • https://cdn.shopify.com/s/files/1/0427/6633/6166/files/misabupija.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/57955619809.pdf
    • https://cdn.shopify.com/s/files/1/0429/8627/4967/files/fotuduvibifoxifukib.pdf
    • https://cdn.shopify.com/s/files/1/0431/3019/2039/files/uk_self_assessment_form.pdf
    • https://static.usrfiles.com/ugd/5899d5_4a37a4f16a934db5a329e290de3a2113.pdf
    • https://cdn.shopify.com/s/files/1/0432/1103/0683/files/41932776267.pdf
    • https://cdn.shopify.com/s/files/1/0440/2629/8533/files/61978666275.pdf
    • https://cdn.shopify.com/s/files/1/0431/6764/5857/files/80383021360.pdf
    • https://cdn.shopify.com/s/files/1/0430/9748/9561/files/17298342438.pdf
    • https://cdn.shopify.com/s/files/1/0429/4243/1395/files/21832513692.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007cec.bin
d5608f6d95d0f7f229f6f1c57aba6b5c0100d29da45e47efd66db86f7cf81a20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CEC 5188 bytes
font_01_sfnt_off00008e63.bin
d33c5e3e91fc59e486dc21b1960b51e86a0e8c5959d9ff5086c6e16c556a44f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E63 11296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.