Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed6df7f66f2897e3…

MALICIOUS

PDF

52.4 KB Created: 2020-08-10 14:04:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 066ef9c463ddaca2905f72aebe2416dc SHA-1: 47571edf55b24da8b646abaa1c6c4952476640a8 SHA-256: ed6df7f66f2897e336d213f31b2a1d95574fd65c6a2dc4cc5de5aba9ce7180ec
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a lure related to an 'Amazon case study analysis' and includes a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. The document also exhibits characteristics of an advance-fee scam, suggesting the user is prompted to click links that lead to fraudulent content or further malicious downloads. The presence of numerous external PDF links, many hosted on Shopify, indicates a link farm designed to distribute malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=amazon+case+study+analysis+pdf
    • http://tujuk.vibrantpet.com/uploads/1/3/1/4/131407995/xivukeze.pdf
    • http://muret.amphionpercussion.com/uploads/1/3/1/6/131606069/8a82f2368ba7.pdf
    • http://files.amastaff.org/uploads/1/3/1/4/131455463/863958.pdf
    • https://cdn.shopify.com/s/files/1/0432/3006/8898/files/desometurajinatezimot.pdf
    • https://cdn.shopify.com/s/files/1/0430/5970/8058/files/xifosenal.pdf
    • https://cdn.shopify.com/s/files/1/0434/5308/7909/files/51281444883.pdf
    • https://cdn.shopify.com/s/files/1/0430/9801/3845/files/jajew.pdf
    • https://cdn.shopify.com/s/files/1/0431/5725/8401/files/9281011666.pdf
    • https://cdn.shopify.com/s/files/1/0448/2557/5581/files/arquitectura_griega_clasica.pdf
    • https://cdn.shopify.com/s/files/1/0432/3537/7307/files/98160848545.pdf
    • https://cdn.shopify.com/s/files/1/0428/3164/2780/files/fetodusivebetibode.pdf
    • https://cdn.shopify.com/s/files/1/0435/2655/3752/files/john_deere_2755.pdf
    • https://cdn.shopify.com/s/files/1/0446/1376/3235/files/present_perfect_tense_mixed_exercises.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/54171278856.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008db8.bin
2db8da5713cbb3a6bdb9b7f52004eb638e1ea4d377f87eeb49f1370d9cf21303		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DB8 5348 bytes
font_01_sfnt_off00009fe6.bin
0acadc14d4296ae09d45cab73a635f28e8c4c54b3674e6f4f761a2eb97ccf6ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9FE6 10800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.