Malicious PDF — malware analysis report

Static analysis result for SHA-256 e2b627dc2b3d189c…

MALICIOUS

PDF

40.4 KB Created: 2020-08-19 00:54:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64d86be86befdf64382ed1175d8f79d1 SHA-1: 1aaa0d406bb3726a8594aed5938eb44643fcaf2e SHA-256: e2b627dc2b3d189c8acfdd65df6ab63d9e78cdc848bf8abd5e5b3474aa10b2c4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it points to malicious infrastructure. Additionally, PDF_SEO_LINK_FARM indicates a large number of external links, likely for obfuscation or to spread malicious content. The primary malicious URL identified is https://ttraff.com/pify?keyword=hotstar+without+vip+app, which is used in the document body and as a redirector. The document body itself contains garbled text but includes the malicious URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=hotstar+without+vip+app
    • http://files.childrenssunflowerhouse.com/uploads/1/3/0/8/130813781/c2653474f4.pdf
    • https://cdn.shopify.com/s/files/1/0433/9089/4247/files/mograine_s_deathcharger_legion.pdf
    • https://cdn.shopify.com/s/files/1/0435/7718/0328/files/xurive.pdf
    • https://cdn.shopify.com/s/files/1/0431/6787/5221/files/modele_attestation_employeur_pole_emploi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9291/8937/files/53159609132.pdf
    • https://cdn.shopify.com/s/files/1/0447/2664/8985/files/pevabomo.pdf
    • https://cdn.shopify.com/s/files/1/0433/3027/3434/files/borrowing_cost_ias_23.pdf
    • https://cdn.shopify.com/s/files/1/0433/8758/4677/files/newegebipimufusoxadufipo.pdf
    • https://cdn.shopify.com/s/files/1/0431/0928/6050/files/70493016879.pdf
    • https://cdn.shopify.com/s/files/1/0433/3695/8104/files/pewobuto.pdf
    • https://cdn.shopify.com/s/files/1/0434/3896/4903/files/99_thieving_guide_osrs.pdf
    • https://cdn.shopify.com/s/files/1/0431/5542/3398/files/23594741086.pdf
    • https://cdn.shopify.com/s/files/1/0430/1615/9381/files/81818626014.pdf
    • https://cdn.shopify.com/s/files/1/0433/5131/0488/files/juwekukiwufofeselip.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005df7.bin
270667835c4790696bb3eca91e1ebf93c13e98d5175e027dc7586c94e00aa715		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DF7 4988 bytes
font_01_sfnt_off00006efb.bin
f3b3dde1b67f033d39b12e48d61f39fbb3840e3e7a4288a091e35fd7f3d3374f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EFB 11548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.