Malicious PDF — malware analysis report

Static analysis result for SHA-256 e716138ed71e51f0…

MALICIOUS

PDF

36.6 KB Created: 2020-08-31 05:03:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6fc7f0615becd0af640c539464345edc SHA-1: c01695d4ba84e2400a468bf422b7bdd5256f5ff8 SHA-256: e716138ed71e51f03c28366c0bddf8077a73b19db86dcf78fa6329717c9c1e1b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, characteristic of a link farm designed to manipulate search engine rankings. One of these links, found in the document body and identified by the heuristic PDF_MALICIOUS_REDIRECTOR_LINK, points to the domain 'ttraff.com', which is known for malicious redirector activity. The majority of the links point to benign PDF files hosted on Shopify, suggesting a deceptive tactic to mask the malicious redirect.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=formato+de+bitacora+de+actividades+diarias+word
    • https://cdn.shopify.com/s/files/1/0440/1361/7302/files/principi_di_anatomia_microscopica.pdf
    • https://cdn.shopify.com/s/files/1/0439/1544/4379/files/naval_ships_technical_manual.pdf
    • https://cdn.shopify.com/s/files/1/0430/2805/4169/files/51582266893.pdf
    • https://cdn.shopify.com/s/files/1/0434/0164/2135/files/apache_poi_3._14_jar.pdf
    • https://cdn.shopify.com/s/files/1/0428/6621/3031/files/rudusemilemekufujuleju.pdf
    • https://cdn.shopify.com/s/files/1/0431/5371/9453/files/critical_thinking_in_education_a_review.pdf
    • https://cdn.shopify.com/s/files/1/0440/6591/5045/files/doretufofipukibinolavif.pdf
    • https://cdn.shopify.com/s/files/1/0434/0029/8648/files/tususewewufodib.pdf
    • https://cdn.shopify.com/s/files/1/0436/9563/6633/files/fufizuridugajepef.pdf
    • https://static.usrfiles.com/ugd/cac9e4_5c346343c79b46ec937d8a37b551450c.pdf
    • https://static.usrfiles.com/ugd/a771bd_574a85b01a8d4280bca253cefee66761.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004d5a.bin
c50ccc78425316f422efd0beadb7306386867e5366badafae5cbc941dc6f5f14		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D5A 5300 bytes
font_01_sfnt_off00005f5a.bin
0e4f9ac82d037a168c4d8bb2c8178739c63fe221bdcae25bdbb5f12761967b62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F5A 11272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.