Malicious PDF — malware analysis report

Static analysis result for SHA-256 d78edc00dae22810…

MALICIOUS

PDF

59.0 KB Created: 2020-09-18 22:18:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 67b44988216de89508c8876cad9ac89a SHA-1: e64ae816d5d79df2f1504e938dfb2fe8ffa3278a SHA-256: d78edc00dae228103e6f5bcbd1f9f43c9a2856aedd51a7720bc7b1d63532dba9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, which is further supported by the presence of the URL "https://ttraff.me/wix?keyword=descargar+spotify+premium+full+apk+2019" in the document body. This URL is designed to trick users into downloading potentially unwanted or malicious software. The file also exhibits characteristics of a link farm, with numerous embedded URLs pointing to external PDF documents, suggesting an attempt to manipulate search engine results or distribute further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=descargar+spotify+premium+full+apk+2019
    • http://jurixade.nckpackaging.com/uploads/1/3/1/4/131407057/ca9bab89df3c.pdf
    • http://rosis.cathyspagnoli.com/uploads/1/3/0/7/130776330/nuremekisibeti-kusir.pdf
    • http://zipake.benseverson.com/uploads/1/3/2/6/132681351/8243395.pdf
    • https://70fe03ef-9063-4e89-9824-381fb034ff89.filesusr.com/ugd/2f7489_14fd3394d5614e04937ab7a5eeaee114.pdf?index=true
    • https://2e0204f1-fff8-49e5-9ecb-7aebee8b57c7.filesusr.com/ugd/99afdc_5a07977f4d3c452f82241a4a2693c148.pdf?index=true
    • https://681fd06e-aad4-4b24-90dd-bfe43b0940f7.filesusr.com/ugd/09273f_e7bcc7ddf8244bd6817c9ce9264b7182.pdf?index=true
    • https://007f2d7b-f286-424d-9d12-acd0d6af7a21.filesusr.com/ugd/6203b9_e52694bf4c1940b2812fb5ad73a3e195.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0432/1270/1854/files/56493261247.pdf
    • https://cdn.shopify.com/s/files/1/0440/9524/2392/files/78921672856.pdf
    • https://cdn.shopify.com/s/files/1/0430/1216/1685/files/venn_diagram_probability_worksheet_with_answers.pdf
    • https://cdn.shopify.com/s/files/1/0439/4971/9720/files/muscular_system_neuromuscular_junction_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0429/3846/6471/files/spoken_english_malayalam_file_download.pdf
    • https://390077c1-2c9e-4c3e-802a-5b2efbae1334.filesusr.com/ugd/2ca22b_a41fe1f9e92c4508a994dab72123006c.pdf?index=true
    • https://b1fdf464-5cd3-44b3-8322-4973b6c301d6.filesusr.com/ugd/a2c2bc_a554982373114eff9bad6c289c20fb71.pdf?index=true
    • https://2e9412aa-e272-447a-b1d4-1cfd59af203f.filesusr.com/ugd/24deb6_c240d352066d45a08f4bab19d3fce481.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008205.bin
5a216c96bca3bfadc424445488731d3b2f71a5d005080a7db1d0744c064a6284		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8205 5756 bytes
font_01_sfnt_off000095bc.bin
bf339eeca9f69b4d32dc5dad0bad13d3e7c5a58109dd634fe38b35b2b7f86754		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95BC 10800 bytes
font_02_sfnt_off0000baa7.bin
aad9bc0f36eadc3314e08670b59090120051e308b357201f134af3d0b781b2b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBAA7 16312 bytes
font_03_sfnt_off0000d033.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD033 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.