Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbc30846162d09d3…

MALICIOUS

PDF

41.5 KB Created: 2020-08-27 19:42:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7785593d5d98f82636761bce91e24dd3 SHA-1: 5d7b00e97407524e4f17f5dc33b251fa8340663b SHA-256: dbc30846162d09d33a620439b33897d4112d7151c9c9e271a4c180484cc4b5f6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, a technique often used in SEO link farms to manipulate search engine rankings or to distribute malicious content. One of the embedded URLs, 'https://ttraff.cc/pify?keyword=avpu+l%25C3%25A0+g%25C3%25AC', is flagged as a malicious redirector. The presence of numerous links, including those hosted on Shopify, suggests an attempt to camouflage the true malicious intent by blending with legitimate content. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=avpu+l%25C3%25A0+g%25C3%25AC
    • http://riwolevus.marionminotti.org/uploads/1/3/2/6/132680813/be5f8f.pdf
    • https://cdn.shopify.com/s/files/1/0434/0085/5706/files/kupajexag.pdf
    • https://cdn.shopify.com/s/files/1/0461/9013/3406/files/como_hacer_un_render_en_sketchup.pdf
    • https://cdn.shopify.com/s/files/1/0431/6597/4690/files/46306914060.pdf
    • https://cdn.shopify.com/s/files/1/0441/2289/8584/files/supertech_oil_filter_lookup.pdf
    • https://cdn.shopify.com/s/files/1/0433/1234/9334/files/64890097084.pdf
    • https://cdn.shopify.com/s/files/1/0429/1405/4300/files/ielts_speaking_topics_september_2018_with_answers.pdf
    • https://cdn.shopify.com/s/files/1/0430/8605/3527/files/dinuvazaxumar.pdf
    • https://cdn.shopify.com/s/files/1/0437/3816/9498/files/bandura_et_al.pdf
    • https://cdn.shopify.com/s/files/1/0432/5395/6758/files/sezipajonax.pdf
    • https://cdn.shopify.com/s/files/1/0438/4532/0861/files/dry_augusten_burroughs_download.pdf
    • https://cdn.shopify.com/s/files/1/0437/6595/6760/files/cnet_s_avast.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006408.bin
0c16866ca2f6dfd73b1770fa329fee234f2a3fade686079f9c70697201822c1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6408 4840 bytes
font_01_sfnt_off000074a4.bin
f3add3ca5e1c63f96286d40b1c33bed1c95bab6fd0c7cf2dbd9cd45d0b4a0e19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74A4 10660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.