Malicious PDF — malware analysis report

Static analysis result for SHA-256 f4f9b77cfcba071f…

MALICIOUS

PDF

47.2 KB Created: 2020-08-26 09:46:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4945f96241d9885e2135b3dda5b760b2 SHA-1: 43518ba1f03613335592c2daf23d323cbce45a0c SHA-256: f4f9b77cfcba071fa897823d51824db51589da0fdbef6ace161d6b577d96cdfd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to external PDF files hosted on various domains. One critical heuristic identified a link to a known malicious redirector, 'ttraff.link', which is likely used to obscure the final malicious destination. The document body is largely unreadable, but the presence of the redirector and the link farm strongly suggests a social engineering attack aimed at directing users to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=a+street+in+bronzeville
    • http://bekitox.catmorgan.com/uploads/1/3/1/4/131437549/1c5a465a522.pdf
    • http://files.cougarthreads.com/uploads/1/3/1/3/131398362/zoroselilulefez.pdf
    • http://files.goldenstandardimport.com/uploads/1/3/1/6/131637136/a0b507.pdf
    • http://files.eastcincyogaschool.com/uploads/1/3/0/9/130969791/6946707.pdf
    • http://files.hhsupps.com/uploads/1/3/0/7/130776645/kibisu.pdf
    • https://cdn.shopify.com/s/files/1/0440/6693/0840/files/baxuvikudikutaxurokod.pdf
    • https://cdn.shopify.com/s/files/1/0438/9430/9019/files/19038951570.pdf
    • https://cdn.shopify.com/s/files/1/0428/3216/7068/files/12698196573.pdf
    • https://cdn.shopify.com/s/files/1/0433/6772/7269/files/ktu_academic_calendar_2020_19.pdf
    • https://cdn.shopify.com/s/files/1/0432/8436/5476/files/liwamike.pdf
    • https://cdn.shopify.com/s/files/1/0461/8105/6665/files/jukugemas.pdf
    • https://cdn.shopify.com/s/files/1/0429/6320/6307/files/source_filmmaker_workshop_er.pdf
    • https://cdn.shopify.com/s/files/1/0438/0501/6226/files/the_birdcage_cast.pdf
    • https://cdn.shopify.com/s/files/1/0427/7311/9143/files/78729112284.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007c43.bin
ab0644e0100ad8604befcf781e34a1fa7fa81c2f3181e1362621444fde12d8d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C43 4708 bytes
font_01_sfnt_off00008c61.bin
1c3584e795f12668ac66b75a18ce8eee50734a554e6648dfa11c01d97c40832a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C61 10368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.