Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ccb8e485cb3811c…

MALICIOUS

PDF

47.0 KB Created: 2020-08-18 16:04:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bf95bfe5d99a77a188d9830bc3d38c11 SHA-1: 08130997ee87d0d06a19f95ae7be8323efe2b1fc SHA-256: 2ccb8e485cb3811cded5f9f6f68dc863e8aac0a283741b7510ab894277c7ca35
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to Shopify domains hosting PDF files, suggesting a link farm for SEO poisoning. One prominent link, 'https://ttraff.com/pify?keyword=best+screen+dimming+app+android', is identified as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, indicating a lure to download an app or related content, which likely leads to malicious activity. The 'SE_REMOTE_SUPPORT_LURE' heuristic suggests a pretext for the user to install or interact with potentially harmful software.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=best+screen+dimming+app+android
    • http://jesoz.collectiblesforchrist.org/uploads/1/3/2/8/132815367/3062212.pdf
    • http://wumixa.starlitedance.ca/uploads/1/3/0/8/130873995/105913.pdf
    • https://cdn.shopify.com/s/files/1/0445/8138/8452/files/clinical_bacteriology_struthers_download_free.pdf
    • https://cdn.shopify.com/s/files/1/0436/8665/8213/files/90528673235.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zudofujavulasosajawigubi.pdf
    • https://cdn.shopify.com/s/files/1/0431/2095/1450/files/530_login_authentication_failed.pdf
    • https://cdn.shopify.com/s/files/1/0441/1850/7672/files/ncert_solutions_for_class_11_biology_chapter_3_download.pdf
    • https://cdn.shopify.com/s/files/1/0431/5611/1520/files/game_online_android_hack_mod.pdf
    • https://cdn.shopify.com/s/files/1/0435/0358/3384/files/old_forge_trail_cam.pdf
    • https://cdn.shopify.com/s/files/1/0440/9376/7832/files/aldehyde_ketone_and_carboxylic_acid_questions.pdf
    • https://cdn.shopify.com/s/files/1/0438/7222/3387/files/algorithme_les_tableaux_exercices_corrigs.pdf
    • https://cdn.shopify.com/s/files/1/0433/8063/7859/files/85613696098.pdf
    • https://cdn.shopify.com/s/files/1/0430/6403/3429/files/suseregubenepub.pdf
    • https://cdn.shopify.com/s/files/1/0439/0476/2011/files/zowoteniregimi.pdf
    • https://cdn.shopify.com/s/files/1/0443/9290/6918/files/60173794455.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b59.bin
506bdbaef80fac6f630999091a686e94b1d4e13aefa4bcc745a370ea37ad5032		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B59 5200 bytes
font_01_sfnt_off00007ce0.bin
f545f933ef0e7c3ed566996a7a6d05dc9a8bd054fa9b9849d7994218f70b25a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CE0 10668 bytes
font_02_sfnt_off0000a104.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA104 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.