Malicious PDF — malware analysis report

Static analysis result for SHA-256 e769722a466f4cfb…

MALICIOUS

PDF

43.0 KB Created: 2020-08-20 02:00:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7775cf94fa1e07158ef07d965a0b6b22 SHA-1: ec60ad1d1964ac48f8ba9b4115acc15f232fa35f SHA-256: e769722a466f4cfba97f56a969afb464ea9c6061f609d4603205db6324387ff2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a significant number of embedded links, with a critical heuristic firing indicating a link farm. One of the primary links directs to a redirector service, 'ttraff.cc', which is known for malicious activity. This suggests the document is designed to lure users to malicious websites by obscuring the final destination through multiple redirects. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the specific lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bhopal+shatabdi+express+platform
    • http://resojolo.zenyasastudio.com/uploads/1/3/1/4/131453134/zavadales.pdf
    • https://cdn.shopify.com/s/files/1/0437/3302/4929/files/lightroom_classic_tutorial.pdf
    • https://cdn.shopify.com/s/files/1/0437/8509/3281/files/critical_path_method_in_project_management.pdf
    • https://cdn.shopify.com/s/files/1/0433/3699/0885/files/bufeguvami.pdf
    • https://cdn.shopify.com/s/files/1/0429/8617/6665/files/tarufojo.pdf
    • https://cdn.shopify.com/s/files/1/0428/8158/1209/files/56709644438.pdf
    • https://cdn.shopify.com/s/files/1/0428/5205/7244/files/10_day_forecast_missoula.pdf
    • https://cdn.shopify.com/s/files/1/0434/3100/2264/files/english_grammar_worksheets_for_grade_5.pdf
    • https://cdn.shopify.com/s/files/1/0441/0929/9864/files/nace_cathodic_protection.pdf
    • https://cdn.shopify.com/s/files/1/0434/4266/7676/files/74365084436.pdf
    • https://cdn.shopify.com/s/files/1/0434/3241/1298/files/new_king_james_version_study_bible_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0430/5652/9565/files/55839056447.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f80.bin
7486236805a89d679f38626e2d54926765dfb361d82db953b685ce0f3d3cd8e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F80 5536 bytes
font_01_sfnt_off0000722d.bin
8709d9e843962f0bf4647343a784f46e8a2277b3c68c25c87f266e57200a5cf0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x722D 14736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.