Malicious PDF — malware analysis report

Static analysis result for SHA-256 e62f67e5606f23a7…

MALICIOUS

PDF

32.7 KB Created: 2020-09-20 18:50:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5bc2053a20f62df02c21c0bd6fc5ca19 SHA-1: c1ba1dd9a968177842703df4793796b48b06dc76 SHA-256: e62f67e5606f23a7decb28f567909b5703556a52fcba280bcd2a93b93eef386f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to its inclusion of a link farm, a common tactic for SEO manipulation and traffic redirection. One of the embedded URLs, 'https://ttraff.club/wix?keyword=accudrill+precision+drill+guide', is flagged as a known malicious redirector. The document body contains garbled text but also includes the same malicious URL and several benign Shopify URLs, suggesting an attempt to disguise malicious activity within a large number of links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=accudrill+precision+drill+guide
    • https://cdn.shopify.com/s/files/1/0432/8757/6740/files/calligraphy_letters_for_beginners.pdf
    • https://cdn.shopify.com/s/files/1/0430/1658/5379/files/12335584030.pdf
    • https://cdn.shopify.com/s/files/1/0434/0937/5383/files/angel_eyes_song_bombay_vikings.pdf
    • https://cdn.shopify.com/s/files/1/0428/5317/1356/files/xanubipizen.pdf
    • https://cdn.shopify.com/s/files/1/0427/5752/1574/files/holding_out_for_a_hero_footloose_sheet_music.pdf
    • https://80992133-6a73-4002-88b8-afa4a0fa18ee.filesusr.com/ugd/21a131_e0fdbcdd31c046068c5de39cc6e841bc.pdf?index=true
    • https://bba9c1bd-5da6-4d35-bc76-93b5fb954af8.filesusr.com/ugd/7a7fb1_237d69f8a6104cf999d413bf56f37a21.pdf?index=true
    • https://754db65e-d827-451a-b028-8f70ada0c1dd.filesusr.com/ugd/493135_f9ab7abfc5924415a771552809b01446.pdf?index=true
    • https://e68b98aa-9ab0-4e4f-8677-49b80fe4ce8d.filesusr.com/ugd/2c608b_425f93dc52df4d93b3a089b4536a7119.pdf?index=true
    • https://2543b630-8bf5-4780-b827-7a0ceb30dff7.filesusr.com/ugd/7fedcf_a3a931df1d624f08970e2166cdc11315.pdf?index=true
    • https://a26dca9c-1eb5-467d-8afd-bc520eaabcc7.filesusr.com/ugd/62e2c1_911aeec0cecf4eeabfd5aaa96db17cc6.pdf?index=true
    • https://f098ddc8-ea77-457c-be57-5f588c44c35a.filesusr.com/ugd/7cefa9_d92374df081849e1a3ca657d9ab1a931.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004366.bin
c78160e43f8a6ec778e1fc59c7b52f6c61b9f9b4e8fbafb8d64000a4cae975c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4366 5020 bytes
font_01_sfnt_off00005489.bin
ca355959b46f89e40eb50a3cad6cc31ea79e1c89ab76e747366f2cbfa441204e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5489 9912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.