Malicious PDF — malware analysis report

Static analysis result for SHA-256 f16104636ff682de…

MALICIOUS

PDF

46.6 KB Created: 2020-08-02 17:22:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 49dc0417b831c108caed25f7f6ab169d SHA-1: c11007d335170dff6c677e2a1e9ccbbcb1370792 SHA-256: f16104636ff682dead13f3b3fe357e4fd4a27e09cee92ee38e0d6ebb941d52de
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with many pointing to a redirector service (ttraff.cc). This suggests a link farm or redirection strategy to obscure the ultimate destination of the malicious content. The presence of numerous PDF links, many hosted on cdn.shopify.com, indicates a potential attempt to leverage legitimate platforms for hosting or distributing malicious content. No scripts were extracted, and the document body is largely unreadable binary data, but the heuristic firings strongly indicate a malicious redirection scheme.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=css+media+query
    • http://files.sovereign-gundogs.com/uploads/1/3/0/7/130740561/kitiwulopokiwu.pdf
    • http://files.starplanappliances.com/uploads/1/3/1/6/131606672/bemotudisi_limurakeva_bufifidexi_bixazazunasixij.pdf
    • http://files.rosieandtherivets.com/uploads/1/3/0/7/130775347/xajetaful.pdf
    • http://files.allaboutpallets.com/uploads/1/3/2/6/132681901/xapavekolu.pdf
    • https://cdn.shopify.com/s/files/1/0431/2314/6909/files/15716201625.pdf
    • https://cdn.shopify.com/s/files/1/0438/1566/5826/files/kojimimatuladudikura.pdf
    • https://cdn.shopify.com/s/files/1/0434/3834/2311/files/fugoxowazapimuvosigow.pdf
    • https://cdn.shopify.com/s/files/1/0437/1588/7256/files/43478097864.pdf
    • https://cdn.shopify.com/s/files/1/0431/7960/6176/files/45944753823.pdf
    • https://cdn.shopify.com/s/files/1/0434/5511/9512/files/99822744235.pdf
    • https://cdn.shopify.com/s/files/1/0434/0681/9493/files/xitusirifipewenebozoxon.pdf
    • https://cdn.shopify.com/s/files/1/0430/3601/6803/files/sufuten.pdf
    • https://cdn.shopify.com/s/files/1/0429/4685/5078/files/xiwuwatebilekovogoviz.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/dosoxuwananeworatimuk.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/wajafaliwufenosikem.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000782c.bin
e1184e56af3311373ad8637c8688a111cdebc428d3b0c08ac10c456b1b4f99e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x782C 5072 bytes
font_01_sfnt_off00008951.bin
993cd3b3b21d868f8a97ecba991b1a1a8091dd7f677206f2905a6d5a6959f178		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8951 11412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.