Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb7da35e60bfd4b7…

MALICIOUS

PDF

56.1 KB Created: 2020-08-31 07:49:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: deb1827d9921c805ae067682a8d57ac2 SHA-1: 0746c2a99f69672f42d70722b13222d3c29497c5 SHA-256: eb7da35e60bfd4b70ff2a3c364cee5502b1872ecd65e71677409c7db96d684d9
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link to a known malicious redirector, ttraff.com, disguised with a search query for a movie. It also exhibits characteristics of a PDF SEO link farm, with numerous links pointing to various PDF files hosted on cdn.shopify.com. The document body, though heavily obfuscated, contains the movie title and the malicious URL, reinforcing the lure. The presence of a download button lure and urgency language further supports a phishing or scam attempt.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=tears+of+the+sun+full+movie+in+hindi+dubbed+download+480p
    • https://cdn.shopify.com/s/files/1/0430/4620/7642/files/aula_internacional_1_libro_de_ejercicios.pdf
    • https://cdn.shopify.com/s/files/1/0440/7338/6136/files/gakabiniserokomilane.pdf
    • https://cdn.shopify.com/s/files/1/0433/9793/9361/files/nopegasi.pdf
    • https://cdn.shopify.com/s/files/1/0433/4521/5637/files/73750630590.pdf
    • https://cdn.shopify.com/s/files/1/0434/1573/2381/files/english_speaking_course_lessons.pdf
    • https://cdn.shopify.com/s/files/1/0448/3658/5629/files/agile_scrum_master.pdf
    • https://cdn.shopify.com/s/files/1/0432/6873/5140/files/salopebukumenuju.pdf
    • https://cdn.shopify.com/s/files/1/0428/7676/4327/files/25736754410.pdf
    • https://cdn.shopify.com/s/files/1/0438/9126/1595/files/google_maps_android_sdk_tutorial.pdf
    • https://cdn.shopify.com/s/files/1/0432/0028/2783/files/microsoft_project_2010_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0435/1347/9320/files/fezipumat.pdf
    • https://cdn.shopify.com/s/files/1/0429/3433/7695/files/84259634702.pdf
    • https://static.usrfiles.com/ugd/63d3ad_684068200f494ad8bff7c6f386c79360.pdf
    • https://static.usrfiles.com/ugd/b8c837_abebc3777b5b4a4f8867a1f155e4821f.pdf
    • https://static.usrfiles.com/ugd/d4da64_80e53c0a2f6c45749f0bd8fd8c955ae0.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005656.bin
bace6227e23918b31198b6f248b10cfcd21d9233e7e3caa99a625d034634adc0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5656 5944 bytes
font_01_sfnt_off00006a78.bin
8a50b1fad94fcac7537c5153201d60a2294c73e4f296cf7002a1414b365f4041		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A78 20968 bytes
font_02_sfnt_off00008aab.bin
9504c32449fdec2d3a35511b27fb093376d69ccc739e21c13c8be0495fc060e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8AAB 5116 bytes
font_03_sfnt_off00009b63.bin
b904886fb0aed2d1a1550db2ad7ef8d6d80fe463d13dff88c99773af1670c546		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B63 2276 bytes
font_04_sfnt_off0000a52e.bin
d8c6325acb2a06e07e914c0438d8135294f23f405992ac43e995f88ead5b2f4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA52E 10332 bytes
font_05_sfnt_off0000c882.bin
3f5735fa85cacf7eb548443b0765f2b392ae292a1c439defd44ff2a6c12fc023		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC882 2056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.