Malicious PDF — malware analysis report

Static analysis result for SHA-256 1de227db0c10114e…

MALICIOUS

PDF

38.4 KB Created: 2020-07-30 01:43:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8c422be8cb7c554e8f972b96943b4936 SHA-1: 3bd2e05f77dde76cf6c3068ba4b68898dd052fe1 SHA-256: 1de227db0c10114eacb100f66e96aace6233e7047a2d2a728d32b109dd84ca17
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.cc'. It also exhibits characteristics of a PDF link farm, with numerous external links, many hosted on Shopify. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf and includes a keyword related to administrative audits, likely a lure. The primary malicious IOC is the redirector URL, which is designed to lead users to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=auditoria+administrativa+joaquin+rodriguez+valencia+libro+pdf
    • http://files.essenceofblissmassage.com/uploads/1/3/0/7/130739268/razurapiriro-wirakixawil.pdf
    • http://files.sunshinecharities.com/uploads/1/3/1/0/131070982/xerebuteneke-suleziwur-wipat-bolaradonizuwi.pdf
    • http://files.uniqorner.com/uploads/1/3/1/8/131856771/713365.pdf
    • https://cdn.shopify.com/s/files/1/0432/0067/6001/files/55773575909.pdf
    • https://cdn.shopify.com/s/files/1/0434/4584/6168/files/68390194015.pdf
    • https://cdn.shopify.com/s/files/1/0427/4749/4567/files/dojakivirit.pdf
    • https://cdn.shopify.com/s/files/1/0435/1302/0570/files/37089993621.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/80804151078.pdf
    • https://cdn.shopify.com/s/files/1/0433/5622/5688/files/kugigo.pdf
    • https://cdn.shopify.com/s/files/1/0437/5586/4215/files/23453633110.pdf
    • https://cdn.shopify.com/s/files/1/0432/8869/0844/files/dorifug.pdf
    • https://cdn.shopify.com/s/files/1/0428/8475/9711/files/fulefarolelimogagarol.pdf
    • https://cdn.shopify.com/s/files/1/0436/3301/6982/files/muxinof.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/11067845032.pdf
    • https://cdn.shopify.com/s/files/1/0436/8538/0246/files/fakawinuwiwujevi.pdf
    • https://cdn.shopify.com/s/files/1/0435/2793/0011/files/bejumolebepamagomerevuwi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000551e.bin
ff472160be1c339e3221f92e22ec8c203db8b457a748fffe6bf222763c7bc5e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x551E 5800 bytes
font_01_sfnt_off000068be.bin
e88f45a4db8df973af906c6a77a77f66b193b64e6640807f78e5778b4a4e1020		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68BE 10224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.