Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9daef477ae47d0a…

MALICIOUS

PDF

45.9 KB Created: 2020-09-01 00:11:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 91bb30fe18a912bcd56ecad5bfa2b387 SHA-1: 5b69c9fb301a4a79167638e6d070f620cb0676fb SHA-256: e9daef477ae47d0af1c4d72df59b92648334b87ecb2d64e692b6d4b29661cb15
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to other PDF documents, a technique often used for SEO manipulation or to obscure malicious content. One of these links, https://ttraff.cc/pify?keyword=albino+cory+catfish+care+sheet, is identified as a malicious redirector. This suggests the document is part of a campaign to lure users to malicious sites, likely for phishing or distributing further malware.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=albino+cory+catfish+care+sheet
    • https://cdn.shopify.com/s/files/1/0431/1157/9809/files/8118462534.pdf
    • https://cdn.shopify.com/s/files/1/0431/4434/7802/files/jimesizaledoguvu.pdf
    • https://cdn.shopify.com/s/files/1/0428/4488/1059/files/ay_kendi_etrafnda_dnn_ka_gnde_tamamlar.pdf
    • https://cdn.shopify.com/s/files/1/0430/8529/9874/files/bendito_seas_seor_palazon.pdf
    • https://static.usrfiles.com/ugd/b8c837_c78d14622faf40a2bd6fb3d8846d5123.pdf
    • https://static.usrfiles.com/ugd/b8c837_ba385a38c96a47f6959ba425c99e3d8d.pdf
    • https://static.usrfiles.com/ugd/a382ee_f92dcabb6ed1408d8786cc62f75826ca.pdf
    • https://cdn.shopify.com/s/files/1/0433/9122/1923/files/72352710129.pdf
    • https://cdn.shopify.com/s/files/1/0428/6126/5062/files/fiwofi.pdf
    • https://cdn.shopify.com/s/files/1/0460/7043/1908/files/1999_porsche_boxster_owners_manual_p.pdf
    • https://cdn.shopify.com/s/files/1/0440/6679/9766/files/game_calling_all_mixels.pdf
    • https://cdn.shopify.com/s/files/1/0430/7098/0247/files/xodawodizew.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000760c.bin
6d2a8475edd759fb42a66143bd70795539d780e12b7638614e473b60d3122063		 pdf-font-stream PDF embedded font (sfnt) at offset 0x760C 5200 bytes
font_01_sfnt_off000087c6.bin
07c773bd65a1e66dcb0c6dfe4ada3db7f235474768043aab03c2ff26e5a11aed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87C6 10352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.