Malicious PDF — malware analysis report

Static analysis result for SHA-256 1cc80769525feb73…

MALICIOUS

PDF

48.2 KB Created: 2020-08-11 02:17:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 45e3e8edd9df4c22d3afa81ed74afc6c SHA-1: 32e4a44acca52af441cf3e9d271c552e6accda5e SHA-256: 1cc80769525feb730e868b3d7d22a4bd00ec71270cc254dc48b935b01a7e81ec
148 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/pify?keyword=bouncing+check+law+pdf'. This, combined with the 'SE_INVOICE_LURE' and 'SE_CALLBACK_LURE' heuristics, suggests a phishing or scam attempt. The document body, though heavily obfuscated, contains the same malicious URL, reinforcing the intent to direct the user to harmful infrastructure. The presence of numerous other PDF links, many hosted on Shopify, indicates a link farm used for SEO poisoning or distributing malicious content.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bouncing+check+law+pdf
    • http://vabofu.walkonuniversity.com/uploads/1/3/1/4/131453109/7859090.pdf
    • http://nituri.springhillbaptist.org/uploads/1/3/1/4/131438137/3f7e5bc43412325.pdf
    • http://files.kraftart.com/uploads/1/3/1/4/131405977/4865789.pdf
    • http://files.sashakonoplya.com/uploads/1/3/1/3/131382078/deae71ec161.pdf
    • https://cdn.shopify.com/s/files/1/0431/0263/4148/files/ruzibebibowuzofaju.pdf
    • https://cdn.shopify.com/s/files/1/0431/7069/3284/files/tifebam.pdf
    • https://cdn.shopify.com/s/files/1/0431/9143/5422/files/guragigixaredomiwesog.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/68513135127.pdf
    • https://cdn.shopify.com/s/files/1/0428/0814/8127/files/vukigigija.pdf
    • https://cdn.shopify.com/s/files/1/0427/8976/5279/files/20386074821.pdf
    • https://cdn.shopify.com/s/files/1/0431/0364/9954/files/kazuriwikaxofijimutadem.pdf
    • https://cdn.shopify.com/s/files/1/0434/3355/8168/files/4662537494.pdf
    • https://cdn.shopify.com/s/files/1/0430/6904/6935/files/the_millionaire_next_door_audiobook.pdf
    • https://cdn.shopify.com/s/files/1/0431/0607/4778/files/biogas_plant_project_for_students.pdf
    • https://cdn.shopify.com/s/files/1/0431/0679/5686/files/xiwegi.pdf
    • https://cdn.shopify.com/s/files/1/0433/2650/5118/files/54067621534.pdf
    • https://cdn.shopify.com/s/files/1/0431/6646/6202/files/characteristics_of_metals_and_non_metals.pdf
    • https://cdn.shopify.com/s/files/1/0433/5498/0505/files/sitokufujajunitunok.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007044.bin
03fe75b9498239a0e923f46a3cd70e35c4de612b3dfcbf6e622a7f21150b9c74		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7044 5152 bytes
font_01_sfnt_off000081d7.bin
edee5de45bd655d70ae5486ed37f54bbb5ee48d20d77baabb9590ff4bb3ef353		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81D7 10520 bytes
font_02_sfnt_off0000a5cd.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA5CD 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.