Malicious PDF — malware analysis report

Static analysis result for SHA-256 e52c2d498c5c4aec…

MALICIOUS

PDF

49.3 KB Created: 2020-08-24 05:05:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7173508b7febaae2d78d4ad1a1f75754 SHA-1: 186ee61c3d34a914c2db1cf3067cab79796a3fd5 SHA-256: e52c2d498c5c4aec5e6421a56f7c8065b0f0a42c92dec578f25f4d21d501fa24
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged for containing a large number of external links, a technique often used for SEO manipulation or to distribute malicious content. One of the embedded links points to a known malicious redirector, ttraff.com, which is likely used to obscure the final destination of the attack. The document body contains garbled text and a reference to the redirector URL, suggesting it's not intended for human consumption but rather as a lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=ben+tennyson+alien+forms
    • http://zeluw.cpaforfamilywealth.com/uploads/1/3/1/4/131453870/1898342.pdf
    • https://cdn.shopify.com/s/files/1/0437/4924/5079/files/windows_mobile_6._5_download.pdf
    • https://cdn.shopify.com/s/files/1/0434/6786/6265/files/54100482009.pdf
    • https://cdn.shopify.com/s/files/1/0427/4647/8759/files/50654594594.pdf
    • https://cdn.shopify.com/s/files/1/0434/0446/0188/files/green_belt_course.pdf
    • https://cdn.shopify.com/s/files/1/0433/5838/8374/files/meilleur_correcteur_d_orthographe.pdf
    • https://cdn.shopify.com/s/files/1/0431/7206/9525/files/wamurenuturuw.pdf
    • https://cdn.shopify.com/s/files/1/0437/4652/5338/files/sudexaxam.pdf
    • https://cdn.shopify.com/s/files/1/0434/5187/5494/files/faviweruwajuzofixu.pdf
    • https://cdn.shopify.com/s/files/1/0436/9842/1913/files/lizosuribezotugovoviko.pdf
    • https://cdn.shopify.com/s/files/1/0433/1434/8197/files/97670025685.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000789f.bin
1264cf697e2e0e4a52c2264790c681cb28b1b3a031f2bc13e3f52e3936561dab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x789F 5064 bytes
font_01_sfnt_off000089c7.bin
d6814c16a4dd6715f9c85d0972eeb3f41680c30bca201c91c85e8d87d42fce5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89C7 15092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.