Malicious PDF — malware analysis report

Static analysis result for SHA-256 2109e9cb392f7593…

MALICIOUS

PDF

45.6 KB Created: 2020-07-29 16:40:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8e9db44b0fb2026586f0149d8dec1759 SHA-1: 90b79a60e0e602fc11a57d608f7e12781e31bbfc SHA-256: 2109e9cb392f7593dd9784b3409986a9c835c393eacbec0ca1d76845a43d70af
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic match for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to a known malicious URL. Additionally, PDF_SEO_LINK_FARM suggests the document is part of a link farm designed to manipulate search engine results. The primary malicious URL identified is ttraff.cc, which is likely used to redirect users to further malicious content. The document body, though heavily obfuscated, contains text related to 'The overcoat nikolai gogol pdf download', serving as a lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=the+overcoat+nikolai+gogol+pdf+download
    • http://files.azkillerbeessoftball.com/uploads/1/3/0/8/130874518/jemizip.pdf
    • http://files.learningmn.org/uploads/1/3/0/7/130740318/392689.pdf
    • http://files.abstraxthairdesign.com/uploads/1/3/1/8/131871586/bajobuxada.pdf
    • http://files.azkillerbeessoftball.c
    • https://cdn.shopify.com/s/files/1/0431/7147/9713/files/10471289541.pdf
    • https://cdn.shopify.com/s/files/1/0427/7728/0671/files/96014678692.pdf
    • https://cdn.shopify.com/s/files/1/0427/9032/2342/files/zisanekisuf.pdf
    • https://cdn.shopify.com/s/files/1/0433/0681/1560/files/gameveradibasekorinolelit.pdf
    • https://cdn.shopify.com/s/files/1/0428/8184/3353/files/fedupusiluxonorafanemi.pdf
    • https://cdn.shopify.com/s/files/1/0428/2561/3468/files/nuxifopunafexisawodofubi.pdf
    • https://cdn.shopify.com/s/files/1/0431/3228/9178/files/98862911480.pdf
    • https://cdn.shopify.com/s/files/1/0433/5036/0232/files/putatorolarur.pdf
    • https://cdn.shopify.com/s/files/1/0431/6728/5410/files/21579742833.pdf
    • https://cdn.shopify.com/s/files/1/0429/0802/4985/files/pomeragamulo.pdf
    • https://cdn.shopify.com/s/files/1/0431/5630/8123/files/faxivutodowujed.pdf
    • https://cdn.shopify.com/s/files/1/0430/9037/8903/files/fisibidipu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000074ff.bin
0b20bed25ff0cca3f7644d48f6c3932a0bbdf64dbae2d036bcdf757126bb9d73		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74FF 5192 bytes
font_01_sfnt_off000086b7.bin
f926f3914657d82712469306cced2e32c8f432d5c38245c911b85569f5a34184		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86B7 10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.