Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa359c378eee9dfb…

MALICIOUS

PDF

44.3 KB Created: 2020-09-17 13:08:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f06dbf96679299748a5f0f5a64ae1f8 SHA-1: 7ca3ea71e2cc24fe2dd4a10ae79d9bc54612eddd SHA-256: fa359c378eee9dfb588ec94479cba28617c6d0f0a53c25b58beb5d4a6a725602
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com. One of these links, https://ttraff.club/wix?keyword=trek+370+sport+value, is flagged as a known malicious redirector. This indicates a likely attempt to lure users to malicious sites through a deceptive document.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=trek+370+sport+value
    • https://cdn.shopify.com/s/files/1/0428/2574/4547/files/muninumenipaperuloko.pdf
    • https://cdn.shopify.com/s/files/1/0440/8829/5576/files/ford_sony_cd_player_manual.pdf
    • https://cdn.shopify.com/s/files/1/0435/9972/4702/files/suffolk_county_pistol_permit_application.pdf
    • https://cdn.shopify.com/s/files/1/0427/5575/2103/files/33035288830.pdf
    • https://cdn.shopify.com/s/files/1/0429/1241/5897/files/73631798975.pdf
    • https://cdn.shopify.com/s/files/1/0429/2778/4099/files/kisogisikozemoniwe.pdf
    • https://cdn.shopify.com/s/files/1/0436/0175/6323/files/indian_names_male.pdf
    • https://cdn.shopify.com/s/files/1/0468/1501/9162/files/gonorrhea_guidelines_2016.pdf
    • https://cdn.shopify.com/s/files/1/0429/2250/8447/files/properties_of_logarithms_worksheet_glencoe_algebra_2.pdf
    • https://cdn.shopify.com/s/files/1/0434/9198/3512/files/55238577735.pdf
    • https://4e107858-08c5-4f48-924c-d3cbced29563.filesusr.com/ugd/e80f4c_8619193d2d904e28b005b4196173d10d.pdf?index=true
    • https://91e3911d-a8e6-4f11-b362-b450064fd840.filesusr.com/ugd/d5d855_bb0378ce67ca4331937c382a3af4d8d3.pdf?index=true
    • https://852c3384-3772-405f-b05a-978223b64b5c.filesusr.com/ugd/e745be_3d0c726e1f2b41b2b2ac5bc4a4eaf117.pdf?index=true
    • https://0dcb09c7-f462-48d5-9eb8-e8d3186a7fac.filesusr.com/ugd/ed2d23_063a4d081217429e9b17c2e3528a1850.pdf?index=true
    • https://e8f2a7b6-e0ed-479f-8142-a1dde8e49399.filesusr.com/ugd/e66789_963ae47f69564554a7d611ea0be76830.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d32.bin
7852f0c5ae7f030eb0a39c93b2a71d6744251b308500c08aac28541a10491516		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D32 5272 bytes
font_01_sfnt_off00007f39.bin
c34ea9d4ceeb42ea9b7e10c74bef78ee0d5e875c47b8d4465544afcdedee0784		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F39 10996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.