Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6b8d91f91eb5ed6…

MALICIOUS

PDF

46.6 KB Created: 2020-08-03 02:45:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 75e36d81195d1ed099a5a7aa888dd0f9 SHA-1: 2687ce6a761e59baf26f3a01f28d7c1467a21e05 SHA-256: d6b8d91f91eb5ed6414cc24925d586fc5beba38b3310b2b267696ded9a2aeebf
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-in

The PDF contains a significant number of embedded links, with one identified as a redirector to a known malicious domain (ttraff.com). This suggests the document is designed to lure users to malicious sites, likely for phishing or to download further malware. The presence of numerous other links, many hosted on Shopify, indicates a potential link farm or SEO poisoning attempt to increase visibility. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=usmc+6105+pdf
    • http://files.northcountrylittlesblog.com/uploads/1/3/1/0/131069860/wirojanalikix.pdf
    • http://files.northwoodsyogaandwellness.com/uploads/1/3/0/7/130740138/905cde375635e55.pdf
    • http://files.gabcmemphis.org/uploads/1/3/2/6/132682990/9079200.pdf
    • https://cdn.shopify.com/s/files/1/0429/1677/4054/files/45282411045.pdf
    • https://cdn.shopify.com/s/files/1/0439/8697/6926/files/runescape_smithing_calculator.pdf
    • https://cdn.shopify.com/s/files/1/0432/0657/4238/files/papevigelekunurizibozig.pdf
    • https://cdn.shopify.com/s/files/1/0433/8561/8583/files/78949160376.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tizerosotusalasebix.pdf
    • https://cdn.shopify.com/s/files/1/0430/7668/1882/files/wulumofulofomonaxavesu.pdf
    • https://cdn.shopify.com/s/files/1/0429/2971/7407/files/womabomug.pdf
    • https://cdn.shopify.com/s/files/1/0437/9040/1687/files/vogeporalodazuvirag.pdf
    • https://cdn.shopify.com/s/files/1/0430/3867/1010/files/fomopanaj.pdf
    • https://cdn.shopify.com/s/files/1/0433/8266/9464/files/19078334249.pdf
    • https://cdn.shopify.com/s/files/1/0440/9635/6504/files/razewufuloxofafakaki.pdf
    • https://cdn.shopify.com/s/files/1/0430/6924/3549/files/jomumurimobifoteluwuta.pdf
    • https://cdn.shopify.com/s/files/1/0431/6758/0317/files/57013961349.pdf
    • https://cdn.shopify.com/s/files/1/0433/7133/1734/files/pebagumakenagipajirafoma.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000079ea.bin
976dda965b33910ced6e33d47770a165833b20f2af18e55e7c92a5b89b1c2a67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79EA 5428 bytes
font_01_sfnt_off00008c66.bin
a20010f5e4f52323ae099f89f10e33139bcaf9bf29ecde3ce255295bee056fde		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C66 9796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.