Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb2c44c57f389cdd…

MALICIOUS

PDF

44.5 KB Created: 2020-08-29 04:20:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7861803d15f0c98d81e19dbe2e66a4ca SHA-1: fb8b430a82c78753c60e80ea08e5b9752fdd7844 SHA-256: fb2c44c57f389cdd7d71256b5330cc8d34a6a56014f7e80f3386309ffc089847
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to SEO-optimized PDF files hosted on Shopify. One of these links, however, directs to a known malicious redirector at 'ttraff.com'. This suggests a tactic of using seemingly benign content to lure victims into clicking malicious links, potentially for phishing or malware distribution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=software+estimation+demystifying+the+black+art+review
    • https://cdn.shopify.com/s/files/1/0437/9266/2688/files/adaptation_of_fish.pdf
    • https://cdn.shopify.com/s/files/1/0427/8488/2844/files/63988538262.pdf
    • https://cdn.shopify.com/s/files/1/0437/7581/9927/files/weekly_progress_report_template_elementary_school.pdf
    • https://cdn.shopify.com/s/files/1/0429/8611/1137/files/napem.pdf
    • https://cdn.shopify.com/s/files/1/0437/3889/0394/files/tropic_of_cancer_henry_miller.pdf
    • https://static.usrfiles.com/ugd/b8c837_7db0d350fd5647a1a2727bb7f3977c85.pdf
    • https://static.usrfiles.com/ugd/b8c837_0fb39f26462b4bc6affe90b002127bdc.pdf
    • https://cdn.shopify.com/s/files/1/0428/3075/8054/files/storia_cicala_e_formica_morale.pdf
    • https://cdn.shopify.com/s/files/1/0432/7142/2102/files/dabazofirujivo.pdf
    • https://cdn.shopify.com/s/files/1/0461/8833/1161/files/30799617500.pdf
    • https://cdn.shopify.com/s/files/1/0443/6908/4572/files/phone_call_app_free.pdf
    • https://cdn.shopify.com/s/files/1/0434/7474/7558/files/av_nodal_reentrant_tachycardia.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c51.bin
6b7fd2254d5a3b0d67487c6149cb663a46845b72685c1f095add7fcec91e2b53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C51 5996 bytes
font_01_sfnt_off000080a1.bin
2502067cb66dc6c3bfdad82a1dff448c92b8566009a078837393c22538d35d16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80A1 10584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.