Malicious PDF — malware analysis report

Static analysis result for SHA-256 20c90bc4223ef372…

MALICIOUS

PDF

41.0 KB Created: 2020-08-01 19:43:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c5a91fa00febe19abd990f6cc9a9f47 SHA-1: 580ab8a6b0c5ba89b7adef7c24b15cb831b99331 SHA-256: 20c90bc4223ef372f2c2be61f5a3e530fbf530dfe762e5a70b09eef9f6385eea
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link that redirects to a malicious URL, disguised as information about Windows 7 live CDs. The PDF also contains a large number of external links, many of which are to Shopify domains, suggesting a link farm or SEO manipulation tactic. The primary malicious URL identified is ttraff.cc, which is used for redirection.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=windows+7+livecd
    • http://files.theforgottenkids.com/uploads/1/3/2/7/132712209/c6b13c650.pdf
    • http://files.morningwoodaz.com/uploads/1/3/0/7/130739658/0cb18.pdf
    • http://files.drmelissacordero.com/uploads/1/3/1/4/131408353/a63f5b145973c.pdf
    • http://files.east-baseball.com/uploads/1/3/1/6/131607093/0216c0a5e11f5.pdf
    • https://cdn.shopify.com/s/files/1/0429/7129/9999/files/25_principles_of_adult_behavior.pdf
    • https://cdn.shopify.com/s/files/1/0429/7113/6154/files/99049170219.pdf
    • https://cdn.shopify.com/s/files/1/0434/0023/3112/files/45187781005.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/90142435821.pdf
    • https://cdn.shopify.com/s/files/1/0432/2259/7800/files/zudegekazofoduv.pdf
    • https://cdn.shopify.com/s/files/1/0438/0740/8290/files/wefojamebuvarazudure.pdf
    • https://cdn.shopify.com/s/files/1/0429/9191/1066/files/74107358833.pdf
    • https://cdn.shopify.com/s/files/1/0430/9309/8660/files/8127901405.pdf
    • https://cdn.shopify.com/s/files/1/0431/6112/5025/files/tekuxizadosiwu.pdf
    • https://cdn.shopify.com/s/files/1/0437/6287/6565/files/pufibajajutajijas.pdf
    • https://cdn.shopify.com/s/files/1/0431/4945/9605/files/35264325430.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gijamibumiji.pdf
    • https://cdn.shopify.com/s/files/1/0435/0204/3288/files/52045548383.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006407.bin
1ce01a6d287b18aac64c40c9ec423ce5b6fc32c227222d82f5cdc36e48e0ddb9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6407 4872 bytes
font_01_sfnt_off000074d5.bin
b8825255549a3a198d3dc98a1cebb20184e8cae9fe38837ad317d9e85e5e1360		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74D5 9968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.