Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9126bd0feefd9ec…

MALICIOUS

PDF

39.4 KB Created: 2020-08-15 18:40:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fe3f352d4a5838f2331fbe29b6e27bda SHA-1: 49334bf9ed53751d36d772d00514fc2b034e81d8 SHA-256: e9126bd0feefd9ec84db856fe68d16a651ef05609d814ed22d54adf77ba9d1fb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to external PDF files hosted on various domains. One of the embedded links, https://ttraff.cc/wb?keyword=chess%20structures%20a%20grandmaster%20pdf, is identified as a malicious redirector. This suggests the document is part of a link farm or SEO poisoning campaign designed to direct users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=chess%20structures%20a%20grandmaster%20pdf
    • http://files.americasschoonercup.com/uploads/1/3/0/9/130969404/8255926.pdf
    • http://files.robynadair.com/uploads/1/3/2/7/132740586/pizunipiva.pdf
    • http://files.expressfullhealthpotential.com/uploads/1/3/0/7/130739456/balarobajuvarivegi.pdf
    • https://cdn.shopify.com/s/files/1/0434/0183/8744/files/sims_3_update.pdf
    • https://cdn.shopify.com/s/files/1/0433/2398/1979/files/ponejeku.pdf
    • https://cdn.shopify.com/s/files/1/0432/2564/5211/files/79506094736.pdf
    • https://cdn.shopify.com/s/files/1/0439/8232/3870/files/snow_loreena_mckennitt_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0435/1049/7434/files/vancouver_bc_map.pdf
    • https://cdn.shopify.com/s/files/1/0432/9675/1771/files/52878688330.pdf
    • https://cdn.shopify.com/s/files/1/0428/9419/6902/files/wafovi.pdf
    • https://cdn.shopify.com/s/files/1/0429/1844/5223/files/31055746676.pdf
    • https://cdn.shopify.com/s/files/1/0430/6187/0746/files/trx_upper_back_exercises.pdf
    • https://cdn.shopify.com/s/files/1/0434/2117/1879/files/54042594958.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c04.bin
a8f207de2408b9dbf2ade93c5c0d3d9ea078c4f1134f8eb8d65ce0b1dc01be37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C04 5440 bytes
font_01_sfnt_off00006e56.bin
41e2618788956d16a23b03a1f98d06bab21296ebaa130aeaabd5b78426a60b65		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E56 10060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.