Malicious PDF — malware analysis report

Static analysis result for SHA-256 209255ad1e0db77b…

MALICIOUS

PDF

42.0 KB Created: 2020-08-07 00:03:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8fce75aa875ad0c5eef03da696b0fc3b SHA-1: a3d17451f54ea021ecafc2972b253a66d430f755 SHA-256: 209255ad1e0db77b807f75dae522aeb14f3405c172add296993173c5281cbaa9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic identifying a link to a known malicious redirector at "https://ttraff.com/pify?keyword=cycloaddition+reaction+pdf". This suggests the document is designed to redirect users to malicious infrastructure. The document body, though heavily obfuscated, contains the same URL and references to "cycloaddition reaction pdf", likely serving as a lure. The presence of many external PDF links also indicates a link farm, a common tactic for SEO poisoning or distributing malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=cycloaddition+reaction+pdf
    • http://files.auntbettyskitchen.com/uploads/1/3/1/3/131379246/fupebuxodaf-vopajifilowas-varedivixose-rexozuxa.pdf
    • http://files.dianamdurand.com/uploads/1/3/2/7/132740435/sumeligidikin.pdf
    • http://files.thearbroathspitfire.com/uploads/1/3/0/7/130775484/d16106f7f6e.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/65028435792.pdf
    • https://cdn.shopify.com/s/files/1/0430/4375/0049/files/lojitopuw.pdf
    • https://cdn.shopify.com/s/files/1/0428/7738/6918/files/tuvel.pdf
    • https://cdn.shopify.com/s/files/1/0429/5216/3482/files/34984600736.pdf
    • https://cdn.shopify.com/s/files/1/0436/7430/4662/files/zigobopogezub.pdf
    • https://cdn.shopify.com/s/files/1/0428/9688/3868/files/povatipufenogesozapevabuf.pdf
    • https://cdn.shopify.com/s/files/1/0431/9641/6157/files/zaxuruguta.pdf
    • https://cdn.shopify.com/s/files/1/0436/6427/7657/files/zorejaruv.pdf
    • https://cdn.shopify.com/s/files/1/0434/5197/3794/files/30998434267.pdf
    • https://cdn.shopify.com/s/files/1/0429/1543/0559/files/xewedelixaxafax.pdf
    • https://cdn.shopify.com/s/files/1/0428/3337/9487/files/88887267137.pdf
    • https://cdn.shopify.com/s/files/1/0437/2037/6474/files/68909587738.pdf
    • https://cdn.shopify.com/s/files/1/0433/9456/4252/files/53424032731.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006833.bin
70e952e75e5b3006968eabf37123264f71d596c4be51536dfc44e73ffc9fad6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6833 4976 bytes
font_01_sfnt_off00007937.bin
ee696c7e2beccba23bd52e1aa35276790d7720bb3a3dad84b013221e5c775ce1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7937 9996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.