Malicious PDF — malware analysis report

Static analysis result for SHA-256 ebef33b4b0c318c5…

MALICIOUS

PDF

42.4 KB Created: 2020-08-22 02:25:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7698b21c3ff73a60ef526867beb6ca71 SHA-1: 4a0a018033683e2c3b2fc5843e99a59fd8f30dcb SHA-256: ebef33b4b0c318c53225117487259dbfeb1c2053e787c99f779ea19d8d204f89
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, many of which are hosted on Shopify but some point to unknown domains. The document body, though heavily obfuscated, contains the primary malicious URL. The presence of these links suggests the document's primary purpose is to redirect users to potentially harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=cognos+report+studio+no+page+break
    • http://merolo.camptesahe.com/uploads/1/3/2/6/132696067/b8b9c90.pdf
    • http://files.suppjects.com/uploads/1/3/1/1/131164063/fovabetapi.pdf
    • http://doloziwim.katherinewiebe.com/uploads/1/3/2/7/132740353/24d63c677235ee.pdf
    • http://nededugo.crusadecavalryreenactment.com/uploads/1/3/1/4/131452903/gakazegexolazid.pdf
    • https://cdn.shopify.com/s/files/1/0435/8812/4829/files/9387550633.pdf
    • https://cdn.shopify.com/s/files/1/0429/2627/6775/files/76854921731.pdf
    • https://cdn.shopify.com/s/files/1/0435/5499/6383/files/4._snf_sosyal_bilgiler_test.pdf
    • https://cdn.shopify.com/s/files/1/0429/5308/0985/files/siguwawinugiwopefo.pdf
    • https://cdn.shopify.com/s/files/1/0429/9902/1717/files/66407879660.pdf
    • https://cdn.shopify.com/s/files/1/0437/5104/7329/files/jexotisamujibogo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kewosa.pdf
    • https://cdn.shopify.com/s/files/1/0427/6980/9564/files/carcinoma_cervix.pdf
    • https://cdn.shopify.com/s/files/1/0433/1975/4907/files/cambridge_igcse_physics_workbook_answers.pdf
    • https://cdn.shopify.com/s/files/1/0433/7205/2643/files/43932150377.pdf
    • https://cdn.shopify.com/s/files/1/0432/5618/5000/files/50441357530.pdf
    • https://cdn.shopify.com/s/files/1/0431/6125/6091/files/73123320106.pdf
    • https://cdn.shopify.com/s/files/1/0432/8128/5286/files/57006884205.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065a7.bin
735d5f371e1b23673674221df00b1dcd1cc941d06aec05affd79281b174e32d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65A7 5204 bytes
font_01_sfnt_off0000775d.bin
95c5333d7f435d00b720d22d4e7dbc08ac1b8539fffa28652e67956fbe8ac034		 pdf-font-stream PDF embedded font (sfnt) at offset 0x775D 10832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.