Malicious PDF — malware analysis report

Static analysis result for SHA-256 e421ddde25183971…

MALICIOUS

PDF

54.3 KB Created: 2020-08-10 19:37:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8f59d8ac7ed6b2eb5e97ff1373fb74e9 SHA-1: f56ff4b20a95da4fe9320aef43c8b97fd4109c80 SHA-256: e421ddde25183971357fe6f049d49ffa267aa5fcb5f2a6f9c33f960c3cc1dc7f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The PDF contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com. One critical heuristic firing indicates that a link within the document points to known malicious redirector infrastructure at ttraff.com. This suggests the document is designed to lead users to malicious websites, likely for phishing or malware distribution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=application+of+artificial+neural+network+in+civil+engineering+pdf
    • http://files.cppbap.org/uploads/1/3/2/7/132740584/rabovaketar-fadaritu-tinuwezak.pdf
    • http://files.roofit.org/uploads/1/3/1/0/131070849/e5a12.pdf
    • http://files.naturetherapyonline.com/uploads/1/3/2/8/132814342/vuwugoduvikekadujuna.pdf
    • http://files.nyqdma.org/uploads/1/3/0/7/130740183/lujuxitokopumunugum.pdf
    • https://cdn.shopify.com/s/files/1/0430/2041/9226/files/panasonic_wide_series.pdf
    • https://cdn.shopify.com/s/files/1/0433/1231/6584/files/jomiluwile.pdf
    • https://cdn.shopify.com/s/files/1/0430/2556/3799/files/11849164225.pdf
    • https://cdn.shopify.com/s/files/1/0430/8375/9765/files/grimm_season_5_torrents.pdf
    • https://cdn.shopify.com/s/files/1/0430/7052/1495/files/55452407952.pdf
    • https://cdn.shopify.com/s/files/1/0433/6759/6184/files/37225941895.pdf
    • https://cdn.shopify.com/s/files/1/0431/3061/8011/files/xanesunewanutegojivulifuv.pdf
    • https://cdn.shopify.com/s/files/1/0433/9168/0666/files/first_aid_management_of_burn.pdf
    • https://cdn.shopify.com/s/files/1/0438/3634/2434/files/33407624817.pdf
    • https://cdn.shopify.com/s/files/1/0433/7215/0942/files/tujibudejomuwumal.pdf
    • https://cdn.shopify.com/s/files/1/0429/9826/8065/files/ganelulagute.pdf

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000b89e.bin
55e64f090a60eb4baac90deb19b9828562de58929c260c82e42c8876e0483289		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB89E 18088 bytes
font_00_sfnt_off0000666d.bin
cf5b40e349c05cb500a13142fbd92d265517d761df26b72c861fd39b25006626		 pdf-font-stream PDF embedded font (sfnt) at offset 0x666D 5348 bytes
font_01_sfnt_off000078bf.bin
b215886efb3e8b0772675a14f3338d5b95de7a508743756ae091ffdce4b36057		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78BF 4784 bytes
font_02_sfnt_off00008968.bin
2be36a692bed7c58a03a036dc84e5d5c13219b88a140f633423f1030b4410500		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8968 15112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.