Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd1a51363d8d7354…

MALICIOUS

PDF

70.3 KB Created: 2020-07-25 16:15:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8f80dc9b231caeee4e34cbcbf34f9e0c SHA-1: f12215e1bbb7eb4c08d3ead9ec9dcf22b81b25c2 SHA-256: dd1a51363d8d7354c41a01a0f1c5affecd1fd205f50efc5d23b45fa5c5afecdf
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.cc'. Additionally, it exhibits characteristics of a link farm, with numerous embedded links, many hosted on Shopify. The document body, though heavily obfuscated, suggests a lure related to 'Mobogenie for pc free filehippo'. The presence of a callback phishing lure heuristic further supports the malicious intent.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=mobogenie+for+pc+free++filehippo
    • http://files.schylerthepotter.com/uploads/1/3/1/3/131379356/tekajog.pdf
    • http://files.sarahhoppe.com/uploads/1/3/1/4/131413905/vumagiwototok.pdf
    • http://files.bluewaternavy.org/uploads/1/3/1/4/131406441/tuwumuvop.pdf
    • https://cdn.shopify.com/s/files/1/0432/4114/4483/files/57812217732.pdf
    • https://cdn.shopify.com/s/files/1/0428/3547/6636/files/vupiwefedugapamuxub.pdf
    • https://cdn.shopify.com/s/files/1/0430/6498/3703/files/bakuzukonakobes.pdf
    • https://cdn.shopify.com/s/files/1/0431/0820/4704/files/35672044989.pdf
    • https://cdn.shopify.com/s/files/1/0433/0124/0985/files/92123068985.pdf
    • https://cdn.shopify.com/s/files/1/0431/2875/0241/files/7539969151.pdf
    • https://cdn.shopify.com/s/files/1/0433/9938/1157/files/zosexe.pdf
    • https://cdn.shopify.com/s/files/1/0430/4414/3253/files/33278190351.pdf
    • https://cdn.shopify.com/s/files/1/0430/3316/5986/files/fogozunugux.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/26225030347.pdf
    • https://cdn.shopify.com/s/files/1/0429/6101/0842/files/14201388715.pdf
    • https://cdn.shopify.com/s/files/1/0431/6528/6566/files/21624391015.pdf
    • https://cdn.shopify.com/s/files/1/0429/3260/0985/files/gupifupabasama.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cefa.bin
d7af0474518b43b74971b32b80fa9c1b88d43a825f78f7605df920e2447586c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCEFA 4740 bytes
font_01_sfnt_off0000df07.bin
a7f087c139f3fa3f12e919afe47f6a1122622f41c5e3a55cc5c36df8a8db98da		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF07 13924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.