Malicious PDF — malware analysis report

Static analysis result for SHA-256 d68cb4e9d753c684…

MALICIOUS

PDF

35.7 KB Created: 2020-08-18 21:06:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ff8fa382bf5f03750023853d71289200 SHA-1: 525043a63d4f59f547ebcb6a0020b0065a239d33 SHA-256: d68cb4e9d753c6842f911cee6cd519385d9a3cf322526dbbef399f2e6b199e79
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm and a direct link to a known malicious redirector, ttraff.com. The document body, though heavily obfuscated, contains the same malicious URL and appears to be a lure for background images. The PDF_MALICIOUS_REDIRECTOR_LINK and PDF_SEO_LINK_FARM heuristics confirm the malicious intent of linking to external, potentially harmful, resources.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=background+pics+hd
    • http://files.globalisationandcities.com/uploads/1/3/1/6/131607174/jilaxafufusekiw.pdf
    • http://files.articulationarts.org/uploads/1/3/1/6/131637308/pujavukenaro_defezibuk.pdf
    • http://nemasan.caughtphotography.info/uploads/1/3/1/0/131070420/c844764.pdf
    • http://lovaleva.chantelclucier.com/uploads/1/3/1/4/131453109/fe5bdeb1.pdf
    • https://cdn.shopify.com/s/files/1/0430/3860/5461/files/pamesamepaxoz.pdf
    • https://cdn.shopify.com/s/files/1/0432/2151/6448/files/nobezut.pdf
    • https://cdn.shopify.com/s/files/1/0435/6653/0728/files/xubepupozebodunadomuti.pdf
    • https://cdn.shopify.com/s/files/1/0429/1549/6092/files/kuvukub.pdf
    • https://cdn.shopify.com/s/files/1/0434/0380/4839/files/47392828078.pdf
    • https://cdn.shopify.com/s/files/1/0431/1557/7504/files/wuzazujugetesevuvufigex.pdf
    • https://cdn.shopify.com/s/files/1/0445/7899/6383/files/39839260838.pdf
    • https://cdn.shopify.com/s/files/1/0434/0213/3653/files/axis_bank_asap_account_features.pdf
    • https://cdn.shopify.com/s/files/1/0436/0765/4563/files/canon_in_d_guitar_chords.pdf
    • https://cdn.shopify.com/s/files/1/0428/9508/1635/files/50009274711.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004d20.bin
f4e6ba5f37bd013d64bc625075d98f3a38fe88830f012032de1593f32a9ab0e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D20 5416 bytes
font_01_sfnt_off00005f85.bin
b530b571ddb8c61554ae30a30269741082bcfae98bf9b5958ba477c9e31e24c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F85 10228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.