Malicious PDF — malware analysis report

Static analysis result for SHA-256 e90c77c973596310…

MALICIOUS

PDF

35.5 KB Created: 2020-09-09 00:16:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7fbb3d58d04d27a5dc36a46cd7d02cbf SHA-1: 5e48ee073c08524456de028bf38a27377f7cab6e SHA-256: e90c77c973596310a0a6a3ab09059a7e960aa5c2bef638314535e17967e76ea0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a deceptive document body and multiple embedded links, including one identified as a malicious redirector. The primary malicious link is https://ttraff.link/wix?keyword=comcast+be+anywhere+answer+confirmation, which likely leads to a phishing or malware distribution site. The presence of numerous other PDF links suggests a link farm or SEO poisoning tactic to obscure the malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=comcast+be+anywhere+answer+confirmation
    • https://cdn.shopify.com/s/files/1/0432/3016/7202/files/kabulitobolefu.pdf
    • https://cdn.shopify.com/s/files/1/0434/7153/6290/files/sewabomoxo.pdf
    • https://cdn.shopify.com/s/files/1/0433/5140/8799/files/dogotibitepifa.pdf
    • https://cdn.shopify.com/s/files/1/0434/7202/7814/files/farevufu.pdf
    • https://static.usrfiles.com/ugd/1cfe37_38445e6677ea4276a8de111a63c1672c.pdf
    • https://static.usrfiles.com/ugd/696b8a_fe9c5b426976499e8e19c6f1ae33f704.pdf
    • https://cdn.shopify.com/s/files/1/0430/7012/8277/files/1234047087.pdf
    • https://cdn.shopify.com/s/files/1/0427/6604/1244/files/ffxiv_giant_seps.pdf
    • https://cdn.shopify.com/s/files/1/0452/4064/7841/files/coprinus_comatus.pdf
    • https://cdn.shopify.com/s/files/1/0433/6363/1272/files/duxaxoraxaxeb.pdf
    • https://cdn.shopify.com/s/files/1/0431/5450/5882/files/80416317692.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004df1.bin
d9a0c4348f0fd108328432cd3e12d2387cef353a58859adcf311aabadb2a16d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4DF1 5328 bytes
font_01_sfnt_off00005ff6.bin
7af790db584b84c51a79423b0afc061434f041ac0c9440dc89b03862010f7d97		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FF6 9740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.