Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef1d4cedae7db270…

MALICIOUS

PDF

34.1 KB Created: 2020-08-12 23:27:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6b31f21b0846f4ed3ee69646b23f956e SHA-1: 0eb2657f192da46867a25a0553b51c36e09ef43d SHA-256: ef1d4cedae7db2701398bed0185032c7ceb64861651af8e3e1e24e92cf6ab63f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/pify?keyword=alter+ego+a1+pdf+online'. This indicates the document's primary purpose is to redirect users to malicious infrastructure. The presence of numerous other PDF links, many hosted on Shopify, suggests a link farm or SEO poisoning tactic to increase visibility. No scripts were extracted, and the document body was heavily obfuscated, but the malicious redirector is a clear indicator of malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=alter+ego+a1+pdf+online
    • http://files.capturingportsmouth.com/uploads/1/3/1/3/131378943/joveronewusu.pdf
    • http://files.juliawebberforeanes.com/uploads/1/3/2/7/132712614/e6e3e9db332.pdf
    • http://files.cccsaa.org/uploads/1/3/2/7/132740250/tufedeg.pdf
    • https://cdn.shopify.com/s/files/1/0440/2089/1798/files/36624988885.pdf
    • https://cdn.shopify.com/s/files/1/0436/9190/1081/files/fujoseliwuru.pdf
    • https://cdn.shopify.com/s/files/1/0434/6524/4832/files/10113860408.pdf
    • https://cdn.shopify.com/s/files/1/0433/2794/6904/files/20069445468.pdf
    • https://cdn.shopify.com/s/files/1/0429/0255/2735/files/13661018111.pdf
    • https://cdn.shopify.com/s/files/1/0430/4030/9402/files/kizoguvivewadonogevusi.pdf
    • https://cdn.shopify.com/s/files/1/0438/1265/1170/files/38820975675.pdf
    • https://cdn.shopify.com/s/files/1/0431/3051/9716/files/xazaguvos.pdf
    • https://cdn.shopify.com/s/files/1/0428/1624/1831/files/berajo.pdf
    • https://cdn.shopify.com/s/files/1/0435/6613/7507/files/5332752647.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/89709194360.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000491d.bin
e5e2272b7dbf68faeca18c3cda223564da40c63a0618f1c91e4d62b7bbe23bd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x491D 5072 bytes
font_01_sfnt_off00005a72.bin
2ac3fe350b7b58f6f2227273f70b39e6bd4cc0b5b9ef7987f3603783e3b1e8d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A72 9856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.