Malicious PDF — malware analysis report

Static analysis result for SHA-256 f23273730a20bdb5…

MALICIOUS

PDF

45.9 KB Created: 2020-08-30 16:46:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 56db6fc2a5a51c58c9b65aabeee68af9 SHA-1: d69112cf164944203bb254ef5b58f9ef53026f54 SHA-256: f23273730a20bdb5de240fdd1e9f2f6c07dfa25a962dd25f3b91d085d7e82c7d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The PDF file contains a large number of embedded links, many of which point to external resources. One critical heuristic firing indicates that the document links to a known malicious redirector infrastructure at 'ttraff.com'. The document body, though heavily obfuscated, contains the same URL and a reference to a car model, suggesting a lure to disguise the malicious intent. The presence of numerous links to 'static.usrfiles.com' and 'cdn.shopify.com' suggests a link farm or SEO poisoning tactic to distribute the malicious PDF.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=2005+nissan+350z+gas+mileage+manual
    • https://static.usrfiles.com/ugd/a838c0_9e5bfa09bbbd4156b432ff06b508f430.pdf
    • https://static.usrfiles.com/ugd/a6e5e9_6fc0a2b605ca46dead950e66a2943c7d.pdf
    • https://static.usrfiles.com/ugd/b8c837_6e43aeba9e79492dbf2cae5d68a824a9.pdf
    • https://cdn.shopify.com/s/files/1/0433/3086/3259/files/dutozugogiluxidobowexuka.pdf
    • https://cdn.shopify.com/s/files/1/0432/4478/1735/files/97864738006.pdf
    • https://cdn.shopify.com/s/files/1/0429/6107/6387/files/sasagupaw.pdf
    • https://static.usrfiles.com/ugd/756799_93f0ffa5cb5d49e3abd005fd953b1cde.pdf
    • https://static.usrfiles.com/ugd/b8c837_1c45879901e34e7a9171cf37e6f36f16.pdf
    • https://cdn.shopify.com/s/files/1/0427/8566/9279/files/fikidifoxu.pdf
    • https://cdn.shopify.com/s/files/1/0435/0076/5336/files/46534911730.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ab4.bin
5f3f9e7cced43a7131526bdd28d15599ebd943c67f6b81c6986208fa8b32c1b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AB4 5120 bytes
font_01_sfnt_off00006bf1.bin
4ace385621d22c786d729bb387ef2eba9cacc641795788657763162d03b47a7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BF1 14988 bytes
font_02_sfnt_off00009ac3.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9AC3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.