Malicious PDF — malware analysis report

Static analysis result for SHA-256 f6c43c97eec26004…

MALICIOUS

PDF

32.8 KB Created: 2020-08-31 03:02:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 803c6af0044a2d5de7132c82a9fefbd1 SHA-1: ba077c3838c4e8b4ae6141f7fd2cd6062d1d7674 SHA-256: f6c43c97eec26004664017e8306040cfb9214616c1efe136de6f83c30086eaf9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits characteristics of a link farm, with numerous embedded URLs. One critical heuristic identified a link to known malicious redirector infrastructure at 'https://ttraff.club/wix?keyword=mercury+outboard+15+hp+2+stroke+manu'. The document body, though heavily obfuscated, contains this URL and other benign-looking Shopify links, suggesting a lure to a malicious site. No scripts were extracted, but the presence of a malicious redirector strongly indicates an intent to lead the user to a harmful destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=mercury+outboard+15+hp+2+stroke+manu
    • https://cdn.shopify.com/s/files/1/0432/5448/1056/files/nedonarazuru.pdf
    • https://cdn.shopify.com/s/files/1/0432/5461/2123/files/boradu.pdf
    • https://cdn.shopify.com/s/files/1/0434/5842/9089/files/23076754327.pdf
    • https://static.usrfiles.com/ugd/b8c837_a573635522b04c1a9b154a6f71eb4ae0.pdf
    • https://static.usrfiles.com/ugd/ca300b_5dccb80c2a0c469fad1ebc187738af87.pdf
    • https://cdn.shopify.com/s/files/1/0428/2862/8135/files/35089605051.pdf
    • https://cdn.shopify.com/s/files/1/0435/0961/2712/files/dimebelofasogudefejagulun.pdf
    • https://cdn.shopify.com/s/files/1/0427/6515/6508/files/quickstudy_reference_guides.pdf
    • https://static.usrfiles.com/ugd/4d6844_69d4efaf17d34809b542250fac0d5b85.pdf
    • https://static.usrfiles.com/ugd/9ea91e_7cd87e2c78704b829e474ba3f4f85111.pdf
    • https://static.usrfiles.com/ugd/963627_be60bb6351c04dd890b3ce97e02796b3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000040d1.bin
5c0dc02ff70805e61701b122e5bdfb01ab9b9fb9d3c0ac3c8e00e669644bff75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x40D1 5900 bytes
font_01_sfnt_off000054d5.bin
c3b28228ebbcb994992fadeb8138d1dd968d4ac1b206025afd1bd222f4166995		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54D5 10372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.