Malicious PDF — malware analysis report

Static analysis result for SHA-256 2211d909190c53bd…

MALICIOUS

PDF

48.6 KB Created: 2020-08-21 06:24:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 68bedc6c17170fbe15ff379fc60e12d6 SHA-1: bd022cae777e74342185cb2cc72054fe2a4313ac SHA-256: 2211d909190c53bd9c7193d052688ccd7e82319e3dd25132db7733757b60128a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, many of which point to a link farm hosted on Shopify. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.com/pify?keyword=latest+android+update+for+10.+1'. The document body, though heavily obfuscated, contains text related to 'latest android update' and the malicious URL, suggesting a social engineering lure. The presence of multiple unknown URLs indicates a potential distribution mechanism for further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=latest+android+update+for+10.+1
    • http://vadagate.cypressbaytv.com/uploads/1/3/1/0/131070420/fidapatupe.pdf
    • http://files.sujordan.com/uploads/1/3/1/4/131406749/gawigu_nisinuvuke_vijim.pdf
    • http://files.msmale.com/uploads/1/3/2/6/132683251/jafotonofed-jelazis.pdf
    • http://files.pirhozeta1920.com/uploads/1/3/2/6/132682113/91411.pdf
    • https://cdn.shopify.com/s/files/1/0438/6720/9893/files/bams_full_syllabus.pdf
    • https://cdn.shopify.com/s/files/1/0432/9956/9829/files/xaloforinafijomibukexebi.pdf
    • https://cdn.shopify.com/s/files/1/0432/4245/5195/files/autobahn_map.pdf
    • https://cdn.shopify.com/s/files/1/0433/7149/5574/files/8429265773.pdf
    • https://cdn.shopify.com/s/files/1/0430/0279/0039/files/21298314943.pdf
    • https://cdn.shopify.com/s/files/1/0438/2703/6322/files/64171875516.pdf
    • https://cdn.shopify.com/s/files/1/0431/6705/6023/files/66913343573.pdf
    • https://cdn.shopify.com/s/files/1/0434/8890/3325/files/lelizusukuzatat.pdf
    • https://cdn.shopify.com/s/files/1/0433/6982/4407/files/72517418690.pdf
    • https://cdn.shopify.com/s/files/1/0431/0820/4704/files/drake_beyonce_can_i_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/3820/3290/files/xoluzowodelasup.pdf
    • https://cdn.shopify.com/s/files/1/0432/5530/0249/files/fezidelew.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007faa.bin
ca106676cee38dd98720123f439636b08a2075d2ec633f1d7f45e42a92145697		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FAA 5168 bytes
font_01_sfnt_off00009155.bin
103ccf855b13a8d45fb3fc3471ecc1055522ec6f4d452ee4fa45283e5f31406a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9155 10692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.