Malicious PDF — malware analysis report

Static analysis result for SHA-256 f14317cfdb9acd87…

MALICIOUS

PDF

58.4 KB Created: 2020-09-03 17:50:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5fccdc859e5879ec90093fe4653bc708 SHA-1: 94c374904b94d629c8258b92f18a75c8af1ba4b8 SHA-256: f14317cfdb9acd8784491c1d38e0c2a17f6140b89f0a9501a372569a1a32b5b2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, a technique often used to create link farms for SEO manipulation or to obscure malicious destinations. One of the primary links, 'https://ttraff.link/wix?keyword=pulmonary+av+malformation+radiology', is flagged as a malicious redirector. The document body, though heavily obfuscated, contains this same URL, suggesting it is the intended lure. The presence of numerous benign-looking links hosted on cdn.shopify.com is likely part of the link farm strategy to make the document appear less suspicious.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=pulmonary+av+malformation+radiology
    • https://static.usrfiles.com/ugd/51c472_276894b0dd504c72908b2379c38674bd.pdf
    • https://static.usrfiles.com/ugd/857e61_36b70f8ca4354a61a0ba768f1ba1c853.pdf
    • https://static.usrfiles.com/ugd/57c819_b273bab0a01844d3afaeca05e81e982f.pdf
    • https://cdn.shopify.com/s/files/1/0454/2785/1422/files/2653249849.pdf
    • https://cdn.shopify.com/s/files/1/0434/8326/7236/files/fakifufoziguxilewepoxa.pdf
    • https://cdn.shopify.com/s/files/1/0434/0563/9836/files/lisodejilodekelememe.pdf
    • https://cdn.shopify.com/s/files/1/0437/9777/4497/files/7126848362.pdf
    • https://cdn.shopify.com/s/files/1/0434/0298/5626/files/busolekabidukaki.pdf
    • https://cdn.shopify.com/s/files/1/0438/1392/9122/files/nepesumonelajaniwisena.pdf
    • https://cdn.shopify.com/s/files/1/0437/9980/6113/files/net_browser_for_pc_free.pdf
    • https://cdn.shopify.com/s/files/1/0437/8587/9713/files/data_analysis_procedure_sample.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mirogorozizodixomalejog.pdf
    • https://cdn.shopify.com/s/files/1/0432/2571/0756/files/dubunotetabiwi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008ca9.bin
c313027acc481619eaa99df506c174f5f925f6779c0bce71b1488eef23b08c3a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8CA9 4976 bytes
font_01_sfnt_off00009d7b.bin
b317138fdac6fba6b9732858ca1b0bb459d4714f930336a54d43ec00392bbaaa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D7B 14948 bytes
font_02_sfnt_off0000cbfe.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCBFE 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.