Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc9ffc18219b0b17…

MALICIOUS

PDF

41.2 KB Created: 2020-09-19 07:15:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 89f39e77255d876c044cdca7f6c31676 SHA-1: cba78780092b0f1c1162222f728fd505f8e9ad8e SHA-256: dc9ffc18219b0b174d290480b83d19b5a1ba9669e808f18a4e470df7e7a2008d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one heuristic specifically identifying it as a PDF link farm. The primary malicious URL, 'https://ttraff.link/wix?keyword=gravity+fsx+1.0+weight', is flagged as a known malicious redirector. While no scripts were extracted, the sheer volume of links and the presence of a malicious redirector suggest a campaign aimed at either SEO manipulation or user redirection to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=gravity+fsx+1.0+weight
    • https://6631a917-2241-46e7-a9a1-e26198fb7601.filesusr.com/ugd/95bb70_7ef5051f6b3246e9b7d7e97e09d6deee.pdf?index=true
    • https://1feb512b-3dd9-43a7-80f6-d41e4f12e493.filesusr.com/ugd/5b5da7_edc4f9589a9a4494bacedcb1e0e29784.pdf?index=true
    • https://6b1644f3-3765-423e-852d-8bb20b96c59d.filesusr.com/ugd/8acad3_26f5ef3c587d4988bb40a3d9968b8aea.pdf?index=true
    • https://7eff996f-c70c-4206-bcaa-997dc7dec71f.filesusr.com/ugd/5899d5_f83f3d2efefc44c0932fd4fcbcf7520e.pdf?index=true
    • https://e600ca2e-2480-49cb-89fc-c4a4a19d09be.filesusr.com/ugd/7a13df_23134f625fd44991858210b8efd6faae.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0437/5419/3047/files/quiz_maker_offline_apk.pdf
    • https://cdn.shopify.com/s/files/1/0461/5769/3091/files/jurnal_hernia_umbilikalis.pdf
    • https://cdn.shopify.com/s/files/1/0440/5205/4181/files/geological_ages.pdf
    • https://cdn.shopify.com/s/files/1/0433/1474/1413/files/84585798359.pdf
    • https://cdn.shopify.com/s/files/1/0430/3316/5986/files/pimarewinalodupomoxetodi.pdf
    • https://cdn.shopify.com/s/files/1/0432/6971/8172/files/76517482785.pdf
    • https://cdn.shopify.com/s/files/1/0436/3298/4222/files/inventor_3d.pdf
    • https://cdn.shopify.com/s/files/1/0439/3821/8152/files/barmeno_medium_font.pdf
    • https://cdn.shopify.com/s/files/1/0448/6466/7810/files/adjectives_word_order_worksheets.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062cc.bin
e927148c7f30e8ca3162ab7f86bb2b2413ecb262a15e442cb9a2ad524796621f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62CC 5576 bytes
font_01_sfnt_off000075f8.bin
23d0595cbf4b4ccd28962734adfc625eca9f8bf103ded99cf4d5f144bee460b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75F8 10000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.