Malicious PDF — malware analysis report

Static analysis result for SHA-256 d92d65aec328f146…

MALICIOUS

PDF

52.8 KB Created: 2020-08-15 03:22:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 880612618a65451aef4095fb3f7dc0a3 SHA-1: 3e7842610cf201b9250e63e760d1ecaeb3e4e375 SHA-256: d92d65aec328f146e5cfcf12c20da2a8b2a73dde26d14d62cb7e55b2b484c5ef
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to ttraff.com. It also exhibits a PDF link farm heuristic, with numerous links to external PDFs hosted on various domains, including Shopify. The embedded document body text, though heavily obfuscated, contains the initial redirector URL and several other PDF URLs, suggesting a coordinated effort to distribute malicious content. The primary intent appears to be directing users through a malicious redirector chain.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=2019+afrobeat+mix+afro-+mania+5+free
    • http://files.countertruth.com/uploads/1/3/1/0/131070398/vomolab.pdf
    • http://mafor.mosaicsbysandisykora.com/uploads/1/3/1/3/131398455/a5d208203d.pdf
    • http://files.alphagolfopen.org/uploads/1/3/1/1/131163960/ed3bef772221.pdf
    • http://files.tenniswos.co.uk/uploads/1/3/1/8/131856353/vozisimejifezemile.pdf
    • http://juwuga.canadaimmigration-lawyer.com/uploads/1/3/1/6/131607163/rufodefafuzatixoga.pdf
    • https://cdn.shopify.com/s/files/1/0439/5070/2750/files/problemas_psicosociales_en_la_adolescencia.pdf
    • https://cdn.shopify.com/s/files/1/0434/9139/3698/files/rekoxoduputiko.pdf
    • https://cdn.shopify.com/s/files/1/0446/0825/8211/files/cetoprofeno_injetavel_im_bula.pdf
    • https://cdn.shopify.com/s/files/1/0437/1133/2507/files/pirates_of_the_caribbean_trumpet_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0432/9563/7659/files/35946929813.pdf
    • https://cdn.shopify.com/s/files/1/0430/9647/3749/files/hp_digital_imaging_monitor.pdf
    • https://cdn.shopify.com/s/files/1/0438/0796/5345/files/english_grammar_for_kids.pdf
    • https://cdn.shopify.com/s/files/1/0433/6753/0657/files/51521531004.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c0a.bin
120dfd7c7977cfb9a90e0c19aa24ce80f3ad63f69756627d616fe21accc03e95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C0A 6424 bytes
font_01_sfnt_off00005bec.bin
834b7f983548c86f6598de220a337a6afcf00f7496bf6248811c591ee8194694		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BEC 5240 bytes
font_02_sfnt_off00006d9f.bin
a2104aad95730e21989fbff1149e77b377f921392fdedad3da8c00d206af6892		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D9F 3712 bytes
font_03_sfnt_off00007c4e.bin
3c2393514ef0a1b8d7336264e256b014a0081c20f8c3cbcab02223c134090f7e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C4E 11516 bytes
font_04_sfnt_off0000a25c.bin
007377d672ad35e960bd13d3f92b574e68300ebd174b34df27fa78aa6545cdcd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA25C 16076 bytes
font_05_sfnt_off0000b700.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB700 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.