Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb739d31225545aa…

MALICIOUS

PDF

44.6 KB Created: 2020-08-30 13:23:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 563b6d2d4ffdf9152918ad3930228a01 SHA-1: e1ffbe0329c28e379675e72c210fd2cb2b703b75 SHA-256: eb739d31225545aa8491dc2f39f031ca5a4c71e67760dfe21a495514bfd4be44
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=destiny+2+a+weapon+of+hope'. Additionally, it exhibits characteristics of a PDF SEO link farm, embedding numerous external links, with 'https://cdn.shopify.com/s/files/1/0434/5475/9065/files/sofia_the_first_princess_adventure_club.pdf' being the first identified. The document body, though heavily obfuscated, also contains the malicious redirector URL, reinforcing the intent to lure the user to a potentially harmful destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=destiny+2+a+weapon+of+hope
    • https://cdn.shopify.com/s/files/1/0434/5475/9065/files/sofia_the_first_princess_adventure_club.pdf
    • https://cdn.shopify.com/s/files/1/0437/2915/8295/files/11416711506.pdf
    • https://cdn.shopify.com/s/files/1/0430/6622/8898/files/74648927144.pdf
    • https://cdn.shopify.com/s/files/1/0428/6591/8118/files/34451995159.pdf
    • https://cdn.shopify.com/s/files/1/0439/4372/3163/files/u._s._news_world_report_best_hospita.pdf
    • https://cdn.shopify.com/s/files/1/0433/6658/0382/files/vixem.pdf
    • https://cdn.shopify.com/s/files/1/0432/5919/9650/files/99878168181.pdf
    • https://cdn.shopify.com/s/files/1/0433/0808/9509/files/57357704879.pdf
    • https://cdn.shopify.com/s/files/1/0440/2737/9877/files/chain_rule_differentiation_worksheet.pdf
    • https://static.usrfiles.com/ugd/b8c837_7656779f324e42e1b8aa0d9c175873b1.pdf
    • https://static.usrfiles.com/ugd/5438e3_d41f6e3c7d4e4e4bb705fa93fae2c9c1.pdf
    • https://static.usrfiles.com/ugd/b8c837_6183246d100d46d28dc6b95d7a1db236.pdf
    • https://static.usrfiles.com/ugd/912de2_8495b1002846430f99ea5409cf7fe933.pdf
    • https://static.usrfiles.com/ugd/cc03df_2507a232b0b946ef84d9c08b2fc7d113.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007059.bin
3825add0d1c9bda79d9447ae797fe1f2d6382edf8aa549dea954bb22e1469317		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7059 5188 bytes
font_01_sfnt_off0000821c.bin
07db263c25851c29ed53034ab60597f17c7ddecb97cc7cd8b0be0b90ac8e64a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x821C 10420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.