Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe4275ff994cf057…

MALICIOUS

PDF

45.0 KB Created: 2020-09-16 17:49:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 634fc1308c1d289565d815b07d0d2f95 SHA-1: 71882361d5a21fbb9f4ff2520be1171c8d44e203 SHA-256: fe4275ff994cf057ce39a88fbf8322ceb1569e2d25a2b18d46b489bb8a3adbbf
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to the presence of a large number of external links, a technique often used in SEO link farms to manipulate search engine rankings or distribute malicious content. One of the embedded URLs, https://ttraff.me/wix?keyword=next+frontier+of+inclusion, is flagged as a known malicious redirector. The document body contains garbled text but includes the same URL, suggesting it is the primary lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=next+frontier+of+inclusion
    • https://9f151191-b049-427b-a296-b81101ec4174.filesusr.com/ugd/c722c2_1b572d9d45234f1b9d84ccd5b14922a1.pdf?index=true
    • https://96156f19-2803-4b59-ab77-143c9cbd2340.filesusr.com/ugd/b8c837_cc2a3a36ddc444128d8eb7587f59a267.pdf?index=true
    • https://10e1d43d-37e5-42bd-bca6-fb2ec3e86e9a.filesusr.com/ugd/aef5b7_3bb13f5b379345ff802ce3adb640a126.pdf?index=true
    • https://10e3bbbc-f7fe-419f-b1e2-95d319d53cda.filesusr.com/ugd/3225da_8b01116ff41f4a78be23428b2ccaef35.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0429/8620/9439/files/48506684634.pdf
    • https://d1946ad7-a2d3-44e1-9580-4a1c2544556e.filesusr.com/ugd/8e7730_7bbc749e12934dcfa631470a4c15dd7b.pdf?index=true
    • https://6738bbdd-f44b-4892-bb95-92b49358698f.filesusr.com/ugd/154db6_5a35506044b24ab19a6f558e93e5e5cc.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0430/0413/3525/files/baxokezegitunutaralededir.pdf
    • https://cdn.shopify.com/s/files/1/0437/9050/0001/files/osrs_abyssal_sire_guide.pdf
    • https://cdn.shopify.com/s/files/1/0430/5921/6533/files/91st_amendment.pdf
    • https://cdn.shopify.com/s/files/1/0432/2479/3245/files/ramefetilutibepak.pdf
    • https://cdn.shopify.com/s/files/1/0435/0607/3759/files/29971163212.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007512.bin
afe0230d3e176ad65b2af26c99151ff1fa82095b65003d78af83b43394751673		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7512 4704 bytes
font_01_sfnt_off00008531.bin
83f6a97102679a8a3712ce8982b04cd8be88376f2e77ba8c8462fa88e1dc94e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8531 10072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.