Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d1e14f2f1f4f186…

MALICIOUS

PDF

40.9 KB Created: 2020-08-21 23:10:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5927d51e8db5eb7394fbead742c8de8e SHA-1: aad4f825fbd0be6359e8f9b8099619f333fed91a SHA-256: 2d1e14f2f1f4f186f9bd529275100268f454e917756f1d39a51aad1907188a22
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as a malicious redirector and a link farm. It contains numerous embedded URLs, with a significant portion pointing to Shopify domains hosting PDF files and one critical URL leading to a known malicious redirector. The primary malicious URL is https://ttraff.cc/pify?keyword=browser++app+iphone, which is likely used to lure users into downloading further malicious content or visiting phishing sites. The document body is heavily obfuscated and contains some of the URLs, but does not provide clear textual lures.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=browser++app+iphone
    • http://jigilunib.laurengoldsteinart.com/uploads/1/3/0/7/130776659/6134382.pdf
    • http://files.teresamunn.com/uploads/1/3/1/8/131856446/8e3b13495.pdf
    • http://files.whiskeypirate.com/uploads/1/3/1/6/131606467/4337941.pdf
    • http://files.matchmypartytheme.com/uploads/1/3/0/7/130775651/rujezela_jawabar.pdf
    • https://cdn.shopify.com/s/files/1/0428/3452/6375/files/96895742569.pdf
    • https://cdn.shopify.com/s/files/1/0434/5934/6582/files/14339513496.pdf
    • https://cdn.shopify.com/s/files/1/0428/6958/8124/files/kefifeminebekebitopuxesuv.pdf
    • https://cdn.shopify.com/s/files/1/0435/8501/1871/files/lisegagifuwugevafawadopax.pdf
    • https://cdn.shopify.com/s/files/1/0433/8896/0919/files/14894676354.pdf
    • https://cdn.shopify.com/s/files/1/0429/7470/7868/files/rupaul_season_6_torrent.pdf
    • https://cdn.shopify.com/s/files/1/0433/9807/0426/files/atresia_pulmonar.pdf
    • https://cdn.shopify.com/s/files/1/0435/4303/6053/files/3213457786.pdf
    • https://cdn.shopify.com/s/files/1/0437/3993/8970/files/nidevi.pdf
    • https://cdn.shopify.com/s/files/1/0438/3732/5462/files/50547962475.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063ad.bin
2e8eba52f8e0edc4aa0898238956ed2b47fc8c4c7a7e8d0ab54de041b0d9ef6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63AD 5016 bytes
font_01_sfnt_off000074ca.bin
26e4655dcb5fed6b10dc0316a28941b9d4fd20ac4de7421aa1272316fba9a955		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74CA 10096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.