Malicious PDF — malware analysis report

Static analysis result for SHA-256 e113074b28bd420b…

MALICIOUS

PDF

41.6 KB Created: 2020-08-27 14:18:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 76dd20fcb83ee7bcf182293bb0c9f46d SHA-1: 8222cfec19adec93f73e867c2605ed3c5a76d23c SHA-256: e113074b28bd420b22a94c08c59617dacc2c8e892a0ac01f1919fb23f2fb4644
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a lure promising free romance books, which is a common social engineering tactic. It embeds multiple links, one of which, 'https://ttraff.cc/pify?keyword=old+harlequin+romance+books+free+dow', is identified as a malicious redirector. The document body also contains obfuscated text and numerous links, many pointing to Shopify domains, but the primary malicious indicator is the redirector URL. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=old+harlequin+romance+books+free+dow
    • http://gakezena.lcatswimming.com/uploads/1/3/0/8/130874493/87674fe66c.pdf
    • http://files.bingocompany.net/uploads/1/3/1/3/131379612/d2857f2095895b.pdf
    • http://files.antonio-oliveirafilho.com/uploads/1/3/0/7/130776206/zafutib_supuvan_folor_merujoremu.pdf
    • https://cdn.shopify.com/s/files/1/0431/2177/0656/files/the_nine_abdominal_regions.pdf
    • https://cdn.shopify.com/s/files/1/0431/7052/9436/files/calendario_de_vacinacao_2019.pdf
    • https://cdn.shopify.com/s/files/1/0439/9644/6878/files/john_deere_lt155_parts_manual.pdf
    • https://cdn.shopify.com/s/files/1/0434/0429/6348/files/nijuv.pdf
    • https://cdn.shopify.com/s/files/1/0427/7082/5382/files/sociology_gcse_book.pdf
    • https://cdn.shopify.com/s/files/1/0427/6515/6508/files/53320033759.pdf
    • https://cdn.shopify.com/s/files/1/0427/9212/4572/files/gixijuzakagaxizozevimi.pdf
    • https://cdn.shopify.com/s/files/1/0465/2993/7558/files/watchmen_comic_english.pdf
    • https://cdn.shopify.com/s/files/1/0434/3499/9975/files/sulepujopogira.pdf
    • https://cdn.shopify.com/s/files/1/0436/8941/0713/files/kanujan.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063cb.bin
8ee6dc512910fbce593daa3429ea8c42f409263701c929169521c180931223b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63CB 5708 bytes
font_01_sfnt_off0000770f.bin
b2ef36f05f309ec1ff35d5451705b46c4fd39cb917ceed64c338bb561d8bd28b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x770F 10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.