Malicious PDF — malware analysis report

Static analysis result for SHA-256 de7e39d2935c3eba…

MALICIOUS

PDF

44.6 KB Created: 2020-09-17 22:03:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 94e4552ee82eeaf7c711b35acefb077c SHA-1: de605df7651583fe666b881ad0c8c36b166391ad SHA-256: de7e39d2935c3eba203c8fa239e57edeb427db22547a445dfbb8cdc80919cac3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, many of which point to a link farm hosted on Shopify. The primary malicious URL, 'https://ttraff.club/wix?keyword=respawnables+hack+apk+home', is identified as a malicious redirector. This suggests the document is designed to lure users into clicking on these links, potentially leading them to malicious content or further compromise. The presence of a keyword related to game hacks in the malicious URL indicates a social engineering tactic to entice clicks.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=respawnables+hack+apk+home
    • http://files.churchesreachout.com/uploads/1/3/1/4/131454692/5168231.pdf
    • http://kadoniga.createdbychrista.com/uploads/1/3/1/3/131383613/bexexo.pdf
    • http://mafafof.electronic-cemetery.com/uploads/1/3/0/7/130738885/fosujifaf.pdf
    • http://vobabamo.musicbylily.com/uploads/1/3/1/4/131483281/c0daf6de5c22a.pdf
    • http://files.tarabooth.com/uploads/1/3/0/7/130776230/67428.pdf
    • https://cdn.shopify.com/s/files/1/0429/6055/2089/files/61283192982.pdf
    • https://cdn.shopify.com/s/files/1/0460/1305/5137/files/hillsborough_away_fans_guide.pdf
    • https://cdn.shopify.com/s/files/1/0446/7975/7977/files/briggs_and_stratton_725ex_manual.pdf
    • https://cdn.shopify.com/s/files/1/0437/2270/2999/files/schedule_template_free_psd.pdf
    • https://cdn.shopify.com/s/files/1/0432/5703/6968/files/glennville_ga_police_reports.pdf
    • https://fa009c30-23dc-4c5a-9c1a-4c3ac58f7e1a.filesusr.com/ugd/b5aed9_661aa121e8894cc0b32a9d4aa02135a5.pdf?index=true
    • https://d20a1718-633d-42e5-9c82-4f7212d30a19.filesusr.com/ugd/f14cf6_6fd36c31e22941ae89a286255472d035.pdf?index=true
    • https://c378bfa7-b99f-44d5-aa1b-7e92ea228af5.filesusr.com/ugd/8e6e76_653fb381c40f4ee6b31d6cae46d0fc3d.pdf?index=true
    • https://56bf931c-0f1d-45a3-b0c2-dae9ea0ac5e2.filesusr.com/ugd/d1fcfc_f4d265dac09c4bfcacc8ebbb29566192.pdf?index=true
    • https://ea197f63-dcbb-41b6-b0f7-823bef4b3806.filesusr.com/ugd/c8df25_2a9003497d744c93bbf568501e658f67.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0476/8622/1990/files/platformer_games_unblocked_weebly.pdf
    • https://cdn.shopify.com/s/files/1/0463/1147/3309/files/80209923557.pdf
    • https://cdn.shopify.com/s/files/1/0434/0154/3830/files/xebozitugasi.pdf
    • https://cdn.shopify.com/s/files/1/0479/8306/7292/files/91526252323.pdf
    • https://cdn.shopify.com/s/files/1/0432/4088/2343/files/29931086439.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006fb5.bin
024b065a0386695c56bad35e4a3a8775fc2a65a3d3f28eb2ced696b86f28cb86		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FB5 5380 bytes
font_01_sfnt_off000081f5.bin
c8d9aec04eae6db9c670cd6354858ad57649f7727e536982a02cdf04d25cd13a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81F5 10384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.