Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff10611782b3b927…

MALICIOUS

PDF

45.2 KB Created: 2020-08-12 11:51:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82782af240db44662b6761b04b9e761a SHA-1: da06c8def7a51e29e3ba234021a534b5671abc45 SHA-256: ff10611782b3b927d80a819ef311995614fe0a475f45b012ccfbca9f0b53ecb2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with a primary malicious redirector link to 'ttraff.com'. The document body, though heavily corrupted, contains text related to 'Centre parcs woburn map pdf', suggesting a lure to disguise the malicious intent. The presence of numerous links, many pointing to Shopify domains, indicates a tactic to obscure the malicious destination and potentially leverage benign-looking domains for distribution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=centre+parcs+woburn+map+pdf
    • http://files.sheungshan.com/uploads/1/3/2/8/132815207/vesavawokuri_jowegifobemukox.pdf
    • http://files.justaddmagictravel.com/uploads/1/3/0/7/130775862/sukov.pdf
    • http://files.restaurantrealtytx.com/uploads/1/3/1/4/131406506/1a77f8.pdf
    • https://cdn.shopify.com/s/files/1/0430/5174/5442/files/77428725414.pdf
    • https://cdn.shopify.com/s/files/1/0438/6599/7472/files/91727296311.pdf
    • https://cdn.shopify.com/s/files/1/0431/7180/7392/files/journey_girl_can_t_help_it.pdf
    • https://cdn.shopify.com/s/files/1/0431/2032/8865/files/gujizubanorukopozate.pdf
    • https://cdn.shopify.com/s/files/1/0430/7373/2768/files/36553290910.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/92588710477.pdf
    • https://cdn.shopify.com/s/files/1/0428/9275/5103/files/fetekapikoveno.pdf
    • https://cdn.shopify.com/s/files/1/0431/4287/3249/files/algorithms_in_c_part_5_robert_sedgewick.pdf
    • https://cdn.shopify.com/s/files/1/0432/1263/6322/files/23624397707.pdf
    • https://cdn.shopify.com/s/files/1/0437/9554/6273/files/67837163694.pdf
    • https://cdn.shopify.com/s/files/1/0435/0876/0742/files/xejela.pdf
    • https://cdn.shopify.com/s/files/1/0434/7019/2805/files/34388122401.pdf
    • https://cdn.shopify.com/s/files/1/0431/7229/8918/files/28808074324.pdf
    • https://cdn.shopify.com/s/files/1/0430/9506/4730/files/39447489076.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007272.bin
e84e02ac1d58d363b10a5d79249bdb7d901a207378f1193632dad21dd8864b90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7272 5404 bytes
font_01_sfnt_off000084bb.bin
72c8e4d21aaf1109e7d5d1cd279e716837437abc09cfbd999a7c774086d3c70d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84BB 10360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.