Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9dc8b0edf12336e…

MALICIOUS

PDF

51.3 KB Created: 2020-08-16 11:00:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 78a15a087799b4528e4359a71d8a5a2a SHA-1: 5ff3f425ad81cfd9e032f0fbbcc0d0bb1aa6acae SHA-256: e9dc8b0edf12336e94857b31661e20f1d96d360b4c778042498108b0bb1921ad
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.com, which is disguised as a 'blood father parents guide'. This indicates a phishing or social engineering attempt to direct users to malicious content. The file also contains a large number of embedded links, many pointing to Shopify domains, suggesting a link farm or SEO manipulation tactic to obscure the malicious redirector. No scripts were extracted, limiting the analysis of direct execution capabilities.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=blood+father+parents+guide
    • http://files.annemckeestoryteller.com/uploads/1/3/1/3/131398204/cea4c1cb6b.pdf
    • http://bugen.footstepscounselingaberdeensd.com/uploads/1/3/2/6/132695569/1392913.pdf
    • https://cdn.shopify.com/s/files/1/0437/1991/7717/files/26858740480.pdf
    • https://cdn.shopify.com/s/files/1/0432/6552/3862/files/bipabudobasusapumesel.pdf
    • https://cdn.shopify.com/s/files/1/0440/2960/8101/files/kezusu.pdf
    • https://cdn.shopify.com/s/files/1/0431/4179/1900/files/dipamoradi.pdf
    • https://cdn.shopify.com/s/files/1/0437/5796/1374/files/list_of_2010s_anime.pdf
    • https://cdn.shopify.com/s/files/1/0432/7990/9028/files/tozeburag.pdf
    • https://cdn.shopify.com/s/files/1/0433/7552/6051/files/blockchain_adalah.pdf
    • https://cdn.shopify.com/s/files/1/0441/3220/4696/files/19578171988.pdf
    • https://cdn.shopify.com/s/files/1/0436/4346/9974/files/17088353983.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008b4e.bin
65bd3cb3e94d1444c31c5d6b0a15e0b9fd210f906ab0f534a0832322981acc7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B4E 5352 bytes
font_01_sfnt_off00009d7a.bin
5962546c21a8034284b6213653e771806e80da3b7a51357f6e522456cc1cf73e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D7A 10256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.