Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa2f961d0c33a0d7…

MALICIOUS

PDF

53.6 KB Created: 2020-08-30 05:32:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8ef0cb53fdbb3aef1b1860fe00ef5475 SHA-1: d6eee80cd7816e2ab80b99efd348adf0520675c8 SHA-256: fa2f961d0c33a0d77b88464b7d6f69a600a307df3d8860ea51200aeb96e2a440
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, identified as a link farm. One of these links, 'https://ttraff.com/wix?keyword=trainer+lindsey+15+day+challenge+mea', is flagged as a known malicious redirector. The presence of numerous links, many pointing to Shopify domains, suggests an attempt to obscure the ultimate destination and potentially distribute malicious content or conduct phishing operations. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=trainer+lindsey+15+day+challenge+mea
    • https://cdn.shopify.com/s/files/1/0440/5483/9461/files/19873314010.pdf
    • https://cdn.shopify.com/s/files/1/0430/2998/7489/files/baukindergeld_2020_antrag.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/birizakidunupujudexi.pdf
    • https://cdn.shopify.com/s/files/1/0433/9200/8357/files/gapebovolexed.pdf
    • https://cdn.shopify.com/s/files/1/0433/6641/6534/files/soferevipavirirawitutota.pdf
    • https://cdn.shopify.com/s/files/1/0437/1631/3242/files/xenenumamelebovewewatesax.pdf
    • https://cdn.shopify.com/s/files/1/0434/5420/2013/files/kptcl_syllabus.pdf
    • https://cdn.shopify.com/s/files/1/0435/7819/6129/files/zewutujixisi.pdf
    • https://static.usrfiles.com/ugd/dfb5f8_7da7e7f3904d41fb97e7fc3ebfc10202.pdf
    • https://static.usrfiles.com/ugd/b8c837_e8f9b1f3727c49e0a214c508011206bd.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000072a0.bin
53b46c21c21f380a5f5fad11c04dd2d3fe35cbc3eb234ed95d73a81b62815d8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72A0 5580 bytes
font_01_sfnt_off0000856d.bin
ed51b0ebd4fde5ef4ac091722a637ff45f7f9295ddfd49491fd26536bd17ce32		 pdf-font-stream PDF embedded font (sfnt) at offset 0x856D 2052 bytes
font_02_sfnt_off00008e23.bin
2fdf22915b8ecb0e1830d1c13f03cd12473b61c0b83740cc7a9e73969de2a13a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E23 10592 bytes
font_03_sfnt_off0000b292.bin
49f94c099222b2b083c5b1335efd6a58e95aee5760051651c8c8458a3fa7a8b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB292 16620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.