Malicious PDF — malware analysis report

Static analysis result for SHA-256 de9dccfc6c57217e…

MALICIOUS

PDF

38.2 KB Created: 2020-08-30 22:02:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82baa0c524abaeee7d4e09b2c2f04636 SHA-1: efd16d36f8adb5c334a5d79379c729a1696bd09a SHA-256: de9dccfc6c57217e44edfd5b8fa330619fcf580b19e209e7beebe09cf977673c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-Override

The PDF file contains a large number of embedded links, a technique often used in SEO link farms to manipulate search engine rankings. One of these links, https://ttraff.com/wix?keyword=libros+de+las+5s, is identified as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting the primary intent is to redirect users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=libros+de+las+5s
    • https://cdn.shopify.com/s/files/1/0432/7935/1976/files/36190188991.pdf
    • https://cdn.shopify.com/s/files/1/0436/2888/8227/files/bspp_thread_standard.pdf
    • https://cdn.shopify.com/s/files/1/0432/0916/2907/files/3593235214.pdf
    • https://static.usrfiles.com/ugd/b8c837_9a4dfeb1938a488ebd2991b5deac1e29.pdf
    • https://static.usrfiles.com/ugd/696b8a_796c337e8fad441cb62731532cfc59ea.pdf
    • https://static.usrfiles.com/ugd/89064d_215f0c5304be47b092fb7cab0b0c46e1.pdf
    • https://static.usrfiles.com/ugd/b8c837_897adf9c4edd4691803fa37a7a654b2c.pdf
    • https://static.usrfiles.com/ugd/b8c837_251491913ebd4588ae6523ca023dcaeb.pdf
    • https://static.usrfiles.com/ugd/c33cdb_0e21991e8af5473bb45ecced1acd83ae.pdf
    • https://static.usrfiles.com/ugd/c7a620_fa75090eb9b0415f94f2218f2b2c29b2.pdf
    • https://static.usrfiles.com/ugd/f63f29_c0df1c62129a4d7aa01b01d7bf0dddbe.pdf
    • https://static.usrfiles.com/ugd/89064d_a43f615631de4773ab76d7e3fcce4fa0.pdf
    • https://static.usrfiles.com/ugd/6290de_da51699062ba43039a46c5ae8c0d25ab.pdf
    • https://static.usrfiles.com/ugd/b8c837_c983ada6ea3d434b894a2931d6bcda20.pdf
    • https://static.usrfiles.com/ugd/b8c837_2d089fc0ad8e456caa0a9e5e7193cf6c.pdf
    • https://static.usrfiles.com/ugd/8b2c09_ccbb16ad2c10490a8ea17b7318cc487b.pdf
    • https://static.usrfiles.com/ugd/b8c837_4044c70bd1634e7f91176e2bca3425b4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005830.bin
ec699c58412587da62c3d79713c6847455eebba29fe24757636fb30ddbd08869		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5830 5024 bytes
font_01_sfnt_off00006947.bin
4254dacce72974664039129cb39453d0ef7ef8e184835eb00a695047c208a056		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6947 10244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.