Malicious PDF — malware analysis report

Static analysis result for SHA-256 de9587f7b3ec71eb…

MALICIOUS

PDF

40.7 KB Created: 2020-08-01 02:30:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 55f534affda5126d96f7021b4318adc1 SHA-1: eca36246d957620817d5a6a4230224983df9a020 SHA-256: de9587f7b3ec71eb1748d6820715f47e3e6624d52aa231e3c33e74c3f907fd49
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded links, many of which point to a redirector service. The primary malicious URL identified is https://ttraff.cc/pify?keyword=fuel+filter+cross+reference+chart+pdf, which is likely used to redirect the user to a malicious site. The document body, though heavily obfuscated, contains references to the redirector URL and other benign-looking PDF links, suggesting a link farm or redirection tactic.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=fuel+filter+cross+reference+chart+pdf
    • http://files.easternsloperanch.com/uploads/1/3/2/6/132681404/3588728.pdf
    • http://files.stonebeltsupply.com/uploads/1/3/1/0/131070619/boxodilijul-wazaruligeni-jakanedizede.pdf
    • http://files.partocica.com/uploads/1/3/1/4/131437005/tekezoz.pdf
    • http://files.r3magicalessence.com/uploads/1/3/1/1/131163538/1f533d0.pdf
    • https://cdn.shopify.com/s/files/1/0438/3558/8770/files/13326624025.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/91337380597.pdf
    • https://cdn.shopify.com/s/files/1/0432/5025/3979/files/d_d_4e_campaign.pdf
    • https://cdn.shopify.com/s/files/1/0428/6965/3663/files/94208175642.pdf
    • https://cdn.shopify.com/s/files/1/0435/6207/4261/files/3171577075.pdf
    • https://cdn.shopify.com/s/files/1/0431/5122/9089/files/88009352372.pdf
    • https://cdn.shopify.com/s/files/1/0433/0127/3758/files/kaxotasimamesowote.pdf
    • https://cdn.shopify.com/s/files/1/0431/5735/6695/files/maziv.pdf
    • https://cdn.shopify.com/s/files/1/0433/0366/5822/files/63480123383.pdf
    • https://cdn.shopify.com/s/files/1/0437/6811/9453/files/xuxibokawedanufifitenelu.pdf
    • https://cdn.shopify.com/s/files/1/0432/3812/9823/files/20310042537.pdf
    • https://cdn.shopify.com/s/files/1/0430/7235/6509/files/3365360625.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006361.bin
796e4e60627b94b425f83c20e4aec2ff91b4b11b650b94acbb3b4376874845bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6361 5196 bytes
font_01_sfnt_off0000750b.bin
dfd5b95682659b9d124f5ca94c782a8a7e389973ead97e4f8f1d4b60fdfbb446		 pdf-font-stream PDF embedded font (sfnt) at offset 0x750B 9684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.