Malicious PDF — malware analysis report

Static analysis result for SHA-256 dff53ea89288b159…

MALICIOUS

PDF

43.2 KB Created: 2020-08-19 21:42:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3c87618f298f1ce417b470d2390250a8 SHA-1: a76d37b33a381c0ca2322d294d9e38f51dc0e011 SHA-256: dff53ea89288b15923b9d881b26907bd039eb11e5ea62817bbd8899e2960c3a6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a known malicious redirector, ttraff.com, which is disguised as an economics PDF. The document also hosts a large number of external PDF links, many hosted on Shopify, suggesting a link farm or SEO poisoning tactic. The primary malicious link is https://ttraff.com/pify?keyword=fabio+nusdeo+curso+de+economia+pdf, which likely leads to a phishing or malware distribution site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=fabio+nusdeo+curso+de+economia+pdf
    • http://files.freddiesfootprintjersey.com/uploads/1/3/1/0/131070711/3935354.pdf
    • http://suzonu.thejuicingstation.com/uploads/1/3/1/6/131606289/wobavumoxaji.pdf
    • http://files.mrsinigosmusic.org/uploads/1/3/0/7/130776661/bepatifupuxuraru.pdf
    • https://cdn.shopify.com/s/files/1/0433/4272/5275/files/mugonulunubozukijukemake.pdf
    • https://cdn.shopify.com/s/files/1/0438/4541/9170/files/zunozipa.pdf
    • https://cdn.shopify.com/s/files/1/0431/5709/4551/files/norfolk_erc_horse.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/57955619809.pdf
    • https://cdn.shopify.com/s/files/1/0432/2813/5592/files/nice_guidelines_diabetes_type_2_treatment.pdf
    • https://cdn.shopify.com/s/files/1/0428/8184/3353/files/pawenugigekakafubir.pdf
    • https://cdn.shopify.com/s/files/1/0428/1312/8863/files/88270802086.pdf
    • https://cdn.shopify.com/s/files/1/0435/4487/1063/files/6579549854.pdf
    • https://cdn.shopify.com/s/files/1/0449/7971/6264/files/22817023362.pdf
    • https://cdn.shopify.com/s/files/1/0447/0449/7818/files/92396105766.pdf
    • https://cdn.shopify.com/s/files/1/0430/6763/7917/files/94528371877.pdf
    • https://cdn.shopify.com/s/files/1/0428/2250/0518/files/84783800420.pdf
    • https://cdn.shopify.com/s/files/1/0433/7818/0257/files/wanajopamasezuxoremozidim.pdf
    • https://cdn.shopify.com/s/files/1/0431/1236/6229/files/nassau_county_da.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006077.bin
ac5babea6b19f21d06b3c60d66e921562818844b09643776bfa0ec9dc21b8b66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6077 5364 bytes
font_01_sfnt_off00007298.bin
d52479cc311d0349882ea43b2cc3a2b475b3e6f2ce77db1b890f5cab42f23792		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7298 14924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.