Malicious PDF — malware analysis report

Static analysis result for SHA-256 f7f420cdba852124…

MALICIOUS

PDF

36.5 KB Created: 2020-08-31 07:52:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8e69b173413bbdde5f0e3adee17d655d SHA-1: 9c87ed383ed8b667d4da6e026ef39b2673257a86 SHA-256: f7f420cdba8521248114b30ea3a52f318090611006876a15210b2a049597cc54
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to external PDF files. One of these links, 'https://ttraff.com/wix?keyword=legend+online+h%25C4%25B1zl%25C4%25B1+giri%25C5%259F+1.1.2', is identified as a known malicious redirector. This suggests the document is part of a link farm or SEO poisoning campaign designed to lure users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=legend+online+h%25C4%25B1zl%25C4%25B1+giri%25C5%259F+1.1.2
    • https://static.usrfiles.com/ugd/b8c837_7bf5729d17f74ebdada24755f1b99802.pdf
    • https://static.usrfiles.com/ugd/e7e4a0_24498b798bba4c1d962969453df0cfd1.pdf
    • https://static.usrfiles.com/ugd/b8c837_67e202df558441b9b48a5e8b9e5731da.pdf
    • https://static.usrfiles.com/ugd/ec0c41_ee6427c978d544ed904050909f1a77fa.pdf
    • https://cdn.shopify.com/s/files/1/0438/2710/1853/files/gruffalo_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0430/3765/5191/files/82012494288.pdf
    • https://cdn.shopify.com/s/files/1/0434/9257/3336/files/6770186688.pdf
    • https://cdn.shopify.com/s/files/1/0432/4337/2699/files/nightbot_custom_commands_ideas.pdf
    • https://static.usrfiles.com/ugd/122077_3a13062271ce4e11a91ebde7587f5ad2.pdf
    • https://static.usrfiles.com/ugd/8e1900_371cc04abcb0447eb65f2cdd9e3d0387.pdf
    • https://static.usrfiles.com/ugd/ec0c41_4959e14af45842f596117ec7f1b80446.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/nemopijudesukofareran.pdf
    • https://cdn.shopify.com/s/files/1/0430/4227/5485/files/zugutofikenopekeg.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004cf3.bin
d9e86b86d1b5e02bb4fa425e668821347ff638d7796c8b0de89b9e3041225f7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4CF3 5184 bytes
font_01_sfnt_off00005ea0.bin
80c192142f887e19042d90bc4ac0a518840f836571eb061eee3b23f311a16c05		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EA0 11884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.