Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d590063ae7445ce…

MALICIOUS

PDF

66.9 KB Created: 2020-09-08 00:11:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c5343bac296897e265aa539f44d77f7 SHA-1: 12c839f09f081d5b592a4bfc2d066b0ce776a655 SHA-256: 2d590063ae7445ce4e0b1f3d66880f68cb4fe45cee174eaa0a1682543d6d392c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link that redirects to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The PDF also contains a link farm, suggesting an attempt to manipulate search engine results or distribute content broadly. The embedded URL in the document body, 'https://ttraff.me/wix?keyword=android+version+of+google+pixel+2', is likely the primary lure, disguised as information about a Google Pixel phone, to entice users to click through to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=android+version+of+google+pixel+2
    • https://cdn.shopify.com/s/files/1/0435/5863/3631/files/betternet_vpn_for_pc_with_crack.pdf
    • https://cdn.shopify.com/s/files/1/0438/4142/1474/files/short_film_script_template.pdf
    • https://cdn.shopify.com/s/files/1/0468/8927/1453/files/api_platform_dto.pdf
    • https://cdn.shopify.com/s/files/1/0434/8307/0629/files/39616225522.pdf
    • https://cdn.shopify.com/s/files/1/0429/1903/5033/files/32096256737.pdf
    • https://cdn.shopify.com/s/files/1/0431/7406/8390/files/tavakodavitizonoxeme.pdf
    • https://cdn.shopify.com/s/files/1/0435/9671/0047/files/26716883425.pdf
    • https://cdn.shopify.com/s/files/1/0433/0523/8692/files/mixuvuzojujosafawu.pdf
    • https://cdn.shopify.com/s/files/1/0429/2290/1663/files/94923213337.pdf
    • https://cdn.shopify.com/s/files/1/0435/1652/6752/files/zifego.pdf
    • https://static.usrfiles.com/ugd/6a7407_997c7087d86e4479bb56141a36e7e818.pdf
    • https://static.usrfiles.com/ugd/2b3f46_43102aae36984a31bd4cc0feaaaf8c4b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000becd.bin
a5d55f2e2c040ea12669bcadb5ff83ffc0986e8229672a06a407db6241eb252c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBECD 5248 bytes
font_01_sfnt_off0000d0cc.bin
278500c64bf162b1f01d8bca5109055bd50e93e23f18a821b89255e25f3b5cfb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD0CC 14880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.