Malicious PDF — malware analysis report

Static analysis result for SHA-256 2b41ef8e04cf2e86…

MALICIOUS

PDF

46.8 KB Created: 2020-09-01 01:09:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5824de581ca8b2cd85b8fc09870676cd SHA-1: ca404fb5a9a0305021f8d7462312054024a5596b SHA-256: 2b41ef8e04cf2e8629524cc905f3516cea7b8b3ba11ecb845da1740056e492c0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'Sql server 2014 enterprise edition' and the malicious URL, suggesting a lure for users searching for software. The primary malicious URL is ttraff.cc, which is flagged as a malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=sql+server+2014++enterprise+edition
    • https://cdn.shopify.com/s/files/1/0428/5900/4070/files/gapadodogorobese.pdf
    • https://cdn.shopify.com/s/files/1/0438/2405/4429/files/58633116683.pdf
    • https://cdn.shopify.com/s/files/1/0438/3404/8669/files/rivixekoxepeluso.pdf
    • https://cdn.shopify.com/s/files/1/0438/4253/5574/files/37300902880.pdf
    • https://cdn.shopify.com/s/files/1/0431/3019/2039/files/legokuxemalo.pdf
    • https://cdn.shopify.com/s/files/1/0440/6480/0918/files/wukalawi.pdf
    • https://cdn.shopify.com/s/files/1/0432/5684/0350/files/camidoh_yawa_music.pdf
    • https://static.usrfiles.com/ugd/b8c837_3e7633e2f5d844e796006973b23c9982.pdf
    • https://static.usrfiles.com/ugd/b4609a_9a1e9ad5437145488d21f686a87dc86f.pdf
    • https://static.usrfiles.com/ugd/b6edda_b633e93685f4447fb826bcf0e6eec309.pdf
    • https://static.usrfiles.com/ugd/9e14ca_9c3d182ac1d84024b932275ab72fd59b.pdf
    • https://cdn.shopify.com/s/files/1/0428/7424/1183/files/20259795561.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/51686393220.pdf
    • https://cdn.shopify.com/s/files/1/0439/4775/3640/files/55021225652.pdf
    • https://cdn.shopify.com/s/files/1/0428/2623/6063/files/45428780761.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fa9.bin
bdba65796916ee7056683285a4afe18934bb04b1560478322b9d0c9b332e532a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FA9 4200 bytes
font_01_sfnt_off00006e85.bin
34c52f51fdd11cb9cacd21325fc41e45bbb03a3ed47ae98aec088bfc5bcd2625		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E85 5444 bytes
font_02_sfnt_off0000812f.bin
b5f94f55db918d9c7ca22835f7554596b97014cedd955c985d261beb4310d0be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x812F 13836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.