Malicious PDF — malware analysis report

Static analysis result for SHA-256 dae904671394d582…

MALICIOUS

PDF

90.7 KB Created: 2020-09-01 16:12:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6e65b3c5adb6f0d48f7546533414408b SHA-1: 22093d3fa19dd4e44c510f4508abc0ece1e0f7e7 SHA-256: dae904671394d5828dcea1dcfdd57d0a584009a0939cbfbb67aa0f8305c4c894
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, suggesting a link farm for SEO manipulation or to obscure malicious redirects. One critical heuristic identified a direct link to a known malicious redirector infrastructure at 'https://ttraff.link/wix?keyword=stumble+across+formal'. No scripts were extracted, but the presence of numerous links and the malicious redirector strongly indicate a phishing or redirection attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=stumble+across+formal
    • https://cdn.shopify.com/s/files/1/0454/8155/8168/files/bahut_sare_game_karni_hai.pdf
    • https://cdn.shopify.com/s/files/1/0437/3485/9930/files/62720858567.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/30812088679.pdf
    • https://cdn.shopify.com/s/files/1/0432/4841/8973/files/timujatewugezo.pdf
    • https://cdn.shopify.com/s/files/1/0432/9376/9894/files/adjectives_list_comparative_and_superlative.pdf
    • https://cdn.shopify.com/s/files/1/0447/2219/2537/files/beautiful_nature_photos_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/8180/1629/files/wow_classic_patch_of_tainted_skin.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/99914628395.pdf
    • https://cdn.shopify.com/s/files/1/0448/7466/2055/files/ramebuxixa.pdf
    • https://static.usrfiles.com/ugd/b8c837_6e04bd0537104fb78929789da62f4ee1.pdf
    • https://static.usrfiles.com/ugd/b8c837_fec1fbf942ba4a808d1d1c814c909eef.pdf
    • https://static.usrfiles.com/ugd/b8c837_70b9141eab82439f9b62e8d9d77b190e.pdf
    • https://static.usrfiles.com/ugd/ca9b0a_d80f41eb8861423d99fadf88b280cc25.pdf
    • https://static.usrfiles.com/ugd/b8c837_157440d2edae43d6b7bdffdd7c5d561d.pdf
    • https://static.usrfiles.com/ugd/c20ea7_248b50c76ad045ea893367431fe2271f.pdf
    • https://static.usrfiles.com/ugd/0ebc1f_d413589695ef46be8786627b289edb6a.pdf
    • https://static.usrfiles.com/ugd/7ef0dc_fb076d16bfd04aa78a8e016ccfa28e0f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_008_off00011feb.bin
2e06b8d703c168ce0674d3e6fbb18d5a0ae4a681d4f77f8560d374fa242ea29e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x11FEB 25276 bytes
font_00_sfnt_off00007e3e.bin
1a2a18687c209c6089b905d54eb7fbf97e6a0f93e21ad0b4e288f7de35100e45		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E3E 17228 bytes
font_01_sfnt_off0000b590.bin
a812de4b152fe179517f52b4aa130f6e930a0e43f3b785561da7fd14821e710e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB590 5272 bytes
font_02_sfnt_off0000c758.bin
eac7e994b1c4c8d0c56b51a22b1f8111d1d1cc63d10e9d8164ecab5cafaf5331		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC758 9092 bytes
font_03_sfnt_off0000e0ab.bin
c6effdc26d6678499c6afe0f70cc79b17c3c526de0ba40a614f9fa532940d6c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE0AB 22072 bytes
font_05_sfnt_off00014c7f.bin
f837e33e7782deaaba3e545b9a0788a04daf5d48a93400e6e92d91a05c19fa22		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14C7F 3536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.