Malicious PDF — malware analysis report

Static analysis result for SHA-256 f587b6416c7178a0…

MALICIOUS

PDF

42.3 KB Created: 2020-08-15 06:30:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5268900d6df5c48db79bb679bb9da905 SHA-1: 91637af79a5a154d7d0ee6bd847f8c0a340c8e7f SHA-256: f587b6416c7178a0652d7865d684ee9e14964d88f5c630cf74d727a8cc89c08a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, many of which point to Shopify domains hosting other PDFs, creating a link farm. One critical heuristic identified a link to a known malicious redirector, ttraff.com, which is designed to lure users into clicking on further malicious content. The document body, though heavily obfuscated, contains the target URL, suggesting an attempt to disguise malicious redirection as legitimate document content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=district+court+nsw+unreported+judgments
    • http://files.sc-air.org/uploads/1/3/0/7/130776735/0e8f570fdd90cf.pdf
    • http://files.naturalmusicmarketing.net/uploads/1/3/0/8/130813899/9533ce77c1e795.pdf
    • https://cdn.shopify.com/s/files/1/0434/3994/7932/files/voting_ballot_template.pdf
    • https://cdn.shopify.com/s/files/1/0428/0962/2687/files/amazing_grace_the_history_and_theology_of_calvinism.pdf
    • https://cdn.shopify.com/s/files/1/0449/9108/6750/files/vuvumuletoxapamepediwibew.pdf
    • https://cdn.shopify.com/s/files/1/0436/2053/2384/files/38961664479.pdf
    • https://cdn.shopify.com/s/files/1/0431/7020/1760/files/55250389161.pdf
    • https://cdn.shopify.com/s/files/1/0437/8437/2386/files/borrowers_and_lenders_act_ghana.pdf
    • https://cdn.shopify.com/s/files/1/0447/9008/7829/files/wagowakajulaloxezixux.pdf
    • https://cdn.shopify.com/s/files/1/0430/9480/2581/files/kejegotijewixoraxab.pdf
    • https://cdn.shopify.com/s/files/1/0433/7932/7137/files/tawuperugowonafavokano.pdf
    • https://cdn.shopify.com/s/files/1/0434/1425/7820/files/kedovakasodipu.pdf
    • https://cdn.shopify.com/s/files/1/0433/5032/7451/files/11884818659.pdf
    • https://cdn.shopify.com/s/files/1/0431/6191/1460/files/tunudiperexibupalajelule.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006878.bin
b91afec0604bbf9777becb3c1a25482c773388f4b3b6ce38b3625d3dcab2852a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6878 5316 bytes
font_01_sfnt_off00007a8b.bin
52f529874e2eda94eb2a097c06364c1189eeeb3f6dc0d8658e8040a5263e7348		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A8B 9976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.