Malicious PDF — malware analysis report

Static analysis result for SHA-256 e90b55519243c4a5…

MALICIOUS

PDF

40.5 KB Created: 2020-08-30 02:31:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 46d8724c9953d7f5d86e1ba7376c5fca SHA-1: 426c357eff6a73aa7982cb8934527ca19d7b0bdc SHA-256: e90b55519243c4a52e38690b44be657f320226e86b940768924f83ceef659cc5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was identified as malicious due to its inclusion of a link to a known malicious redirector at 'https://ttraff.com/wix?keyword=cragmaw+hideout+wolves'. Additionally, it functions as a link farm, embedding numerous external PDF links, with 'https://cdn.shopify.com/s/files/1/0459/9899/7663/files/java_1.5_download.pdf' being the first identified. This suggests an attempt to manipulate search engine results or distribute further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=cragmaw+hideout+wolves
    • https://cdn.shopify.com/s/files/1/0459/9899/7663/files/java_1.5_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/9610/4341/files/xedujojanomid.pdf
    • https://cdn.shopify.com/s/files/1/0437/7857/2450/files/80581437286.pdf
    • https://cdn.shopify.com/s/files/1/0431/5283/4717/files/65880529848.pdf
    • https://cdn.shopify.com/s/files/1/0434/6553/9741/files/supajot.pdf
    • https://cdn.shopify.com/s/files/1/0431/6305/8333/files/33276056464.pdf
    • https://cdn.shopify.com/s/files/1/0435/6653/0728/files/70437795874.pdf
    • https://cdn.shopify.com/s/files/1/0437/3911/9765/files/wemeduxipeg.pdf
    • https://cdn.shopify.com/s/files/1/0432/7810/6779/files/jquery_get_current_date.pdf
    • https://static.usrfiles.com/ugd/4f270c_77f7268fc2834bc99ba92702b4df01a7.pdf
    • https://static.usrfiles.com/ugd/0df15e_92f2ec4398044abc987e7452787b6d49.pdf
    • https://static.usrfiles.com/ugd/b8c837_e1b3d97bc48f497abe3862f8b9e863d5.pdf
    • https://static.usrfiles.com/ugd/97368a_3677fe63905643ffb1ff63f5ef1d1165.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f72.bin
e19f3bd94d1239957f3fbba1b263b640b79f551c8deed03cdef16e3acfccfd0e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F72 5296 bytes
font_01_sfnt_off00007165.bin
f04df257da17c0767998d11327e5e03ae3ff651362d43275919f75e8a239293b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7165 10140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.