Malicious PDF — malware analysis report

Static analysis result for SHA-256 f45d7186c09bf480…

MALICIOUS

PDF

44.2 KB Created: 2020-08-22 08:05:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82f13c34b41120555b33239a76e8e7c2 SHA-1: 727531921efd49de5ece0ceb5b059e288a52b471 SHA-256: f45d7186c09bf48009f47fdbc684c4e88cba880d2815297737b277044537b2ab
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/pify?keyword=image+translate+app'. The document body also contains this URL, along with numerous other links hosted on Shopify, suggesting a link farm designed to obscure the true malicious destination. The primary attack pattern involves tricking the user into clicking the malicious link under the guise of an 'image translate app'.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=image+translate+app
    • http://files.nativitybloomingtonparish.org/uploads/1/3/1/6/131607093/2919008.pdf
    • https://cdn.shopify.com/s/files/1/0427/4746/1788/files/netapemitiriraxutuba.pdf
    • https://cdn.shopify.com/s/files/1/0434/0337/8839/files/bala_song_ming.pdf
    • https://cdn.shopify.com/s/files/1/0431/4388/9058/files/80999335289.pdf
    • https://cdn.shopify.com/s/files/1/0433/4937/7174/files/66897995294.pdf
    • https://cdn.shopify.com/s/files/1/0428/6555/7671/files/mazebutiw.pdf
    • https://cdn.shopify.com/s/files/1/0431/6128/8868/files/webigexeminifijev.pdf
    • https://cdn.shopify.com/s/files/1/0435/1560/9243/files/zifupirekobek.pdf
    • https://cdn.shopify.com/s/files/1/0431/6640/0673/files/lajemozikudatodatiw.pdf
    • https://cdn.shopify.com/s/files/1/0436/8410/2297/files/tratamiento_de_sinusitis_aguda_en_nios.pdf
    • https://cdn.shopify.com/s/files/1/0436/1152/1187/files/hypertension_fact_sheet_ghana.pdf
    • https://cdn.shopify.com/s/files/1/0428/2243/4972/files/6628399345.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006397.bin
761fc07027ebf7b9ac5ab7f4b5ff5a89db814787f68c857e08d6e9d2659084d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6397 5076 bytes
font_01_sfnt_off000074b0.bin
2d1c02d7faeb7dad5af5d103f135926a0d4fd4e69f3a7da8959d46cf8e88466d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74B0 3120 bytes
font_02_sfnt_off00008133.bin
4b8fee37e0526935f6c4c764a87420d8d87150a0b19c7c61fa5aa3a0f3e4b663		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8133 10308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.