Malicious PDF — malware analysis report

Static analysis result for SHA-256 23f93b4fbe4c2347…

MALICIOUS

PDF

85.0 KB Created: 2020-07-30 23:04:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a578066f6fad2df7023e3727e737d5d6 SHA-1: 56fa62742b45ea47a2c3d6891164a12feb114ebf SHA-256: 23f93b4fbe4c23477ac977258f939a464df9626258c7857303ab7971ec004e89
168 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a significant number of embedded links, many pointing to Shopify domains, forming a link farm. One critical heuristic indicates a malicious redirector link to 'ttraff.com', which is likely used to obscure the final malicious destination. The document body, though heavily obfuscated, suggests a lure related to a 'React JS tutorial for beginners PDF'. The combination of a link farm and a malicious redirector points to a phishing or malware distribution attempt.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=react+js+tutorial+for+beginners+pdf
    • http://files.findtheyeti.com/uploads/1/3/1/4/131410545/tofosu.pdf
    • http://files.aletalederwasch.com.au/uploads/1/3/1/4/131408546/5638055.pdf
    • http://files.apsh.org/uploads/1/3/1/1/131164067/lolawizixati_tulilusasupagu_goxesuxaze_kajebatonijani.pdf
    • http://files.technotronics.shop/uploads/1/3/1/8/131871864/3ea7e8413.pdf
    • https://cdn.shopify.com/s/files/1/0432/0981/8272/files/xuwudilopinivuwofem.pdf
    • https://cdn.shopify.com/s/files/1/0433/5819/1768/files/rubivewopedufuzepolat.pdf
    • https://cdn.shopify.com/s/files/1/0431/8386/6007/files/77148917611.pdf
    • https://cdn.shopify.com/s/files/1/0430/7949/9940/files/35342217605.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/52325197595.pdf
    • https://cdn.shopify.com/s/files/1/0428/5857/8086/files/modalobajisabaran.pdf
    • https://cdn.shopify.com/s/files/1/0428/4314/4359/files/65714529872.pdf
    • https://cdn.shopify.com/s/files/1/0434/3640/8982/files/ruzigubipaduzizovejunisib.pdf
    • https://cdn.shopify.com/s/files/1/0432/8154/7417/files/favitobibababepeselisuv.pdf
    • https://cdn.shopify.com/s/files/1/0431/7665/7051/files/72157663611.pdf
    • https://cdn.shopify.com/s/files/1/0431/1462/7234/files/madovavewozabemaguwo.pdf
    • https://cdn.shopify.com/s/files/1/0433/8250/5628/files/83039219582.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d05d.bin
0eac1552a6a0cc8d6d43e14f5c157d052ff2bf21460314f67a2c213e0a454e63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD05D 6744 bytes
font_01_sfnt_off0000e144.bin
569b9a3700e11e7150c6c39fdbbb16fdfd92b6c03a6f9d94ef974efa5e4f53b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE144 5428 bytes
font_02_sfnt_off0000f3bd.bin
48affe70d01c3cf01f14fa6b9d38d33f2d007eba034b4d2820ebd0eb916f5c01		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3BD 3896 bytes
font_03_sfnt_off000102f6.bin
1d32cbeb47fbb18326f62885cb1491389aa7306de66cc3fbdf1ea9ac1bff3283		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102F6 13860 bytes
font_04_sfnt_off00012f93.bin
a235935b7da1a3e0dfb4386fa22d70075346861adeac55da3f8f322ddd140fe5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F93 16352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.