Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1a256270b8135a9…

MALICIOUS

PDF

37.3 KB Created: 2020-08-23 23:19:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 753d10ff47591efce7e1d796d39014df SHA-1: b840217cf3d3af66f480930d7948ce200d4d29be SHA-256: f1a256270b8135a92bc52582928dd0c08fe06fc5a61533db21dbd75fd04a6e37
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a redirector service. The primary heuristic indicates a malicious redirector link to 'ttraff.cc', which is likely used to obscure the final malicious destination. The document body, though heavily obfuscated, contains the same redirector URL, suggesting it's the intended lure. The presence of numerous Shopify-hosted PDF links likely serves to improve the SEO ranking of the malicious redirector, making it appear more legitimate.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=tv+guide+now+melbourne
    • http://zapogip.likeagoodbook.com/uploads/1/3/1/3/131382406/615084baaca.pdf
    • https://cdn.shopify.com/s/files/1/0436/0706/4734/files/estudios_de_casos_de_la_economa_ambiental_en_colombia.pdf
    • https://cdn.shopify.com/s/files/1/0435/3127/2346/files/50764008402.pdf
    • https://cdn.shopify.com/s/files/1/0436/1460/1378/files/amortissement_comptable_maroc.pdf
    • https://cdn.shopify.com/s/files/1/0461/7338/8953/files/passenger_let_her_go_guitar_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0437/1261/0472/files/kisiw.pdf
    • https://cdn.shopify.com/s/files/1/0431/1767/4656/files/vinyl_vs_cd.pdf
    • https://cdn.shopify.com/s/files/1/0436/5844/4958/files/cristianismo_puro_e_simples.pdf
    • https://cdn.shopify.com/s/files/1/0430/6852/2657/files/encyclopedia_book_download.pdf
    • https://cdn.shopify.com/s/files/1/0431/4329/9232/files/gegekavukudos.pdf
    • https://cdn.shopify.com/s/files/1/0429/9830/0823/files/76019271416.pdf
    • https://cdn.shopify.com/s/files/1/0432/5824/9376/files/shots_drumline_cadence_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0429/6055/2085/files/oxford_discover_4_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0437/3577/7445/files/belajar_coding_android.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005652.bin
46de67662e36b580e3a2ab3a17107858f466db8dbd7bd7ccb385e30dcf5b99be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5652 5000 bytes
font_01_sfnt_off0000674e.bin
057401441fcf6140d488d456bdb0949a37b143d324d3cee1710c9f7da1a86c10		 pdf-font-stream PDF embedded font (sfnt) at offset 0x674E 9812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.