Malicious PDF — malware analysis report

Static analysis result for SHA-256 2db5a4b44c07fe34…

MALICIOUS

PDF

42.4 KB Created: 2020-09-02 16:47:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 584c869d867aa97f67b8c7a26f8a9f88 SHA-1: 6e35d217010cf2473cac2bbef8972fcc22d8a20f SHA-256: 2db5a4b44c07fe34205ad23ed64cbf73e66cabab0b1af1741e1b210a7998d1f0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/pify?keyword=sherlock+holmes+movie+free++in+telugu'. This URL is presented within the document body, disguised as a lure for free movie content. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to benign content but likely serving to obscure the malicious redirector. No scripts were extracted, and the document body itself is largely obfuscated binary data with some text fragments, but the primary malicious intent is clear from the redirector link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=sherlock+holmes+movie+free++in+telugu
    • https://static.usrfiles.com/ugd/b8c837_5f2a3a6640ff47e9b4fd511f36012103.pdf
    • https://static.usrfiles.com/ugd/5360f8_a7c8425aeff3476685a8e2f80b3cfd2e.pdf
    • https://static.usrfiles.com/ugd/ff2e72_641354269c094e4c95f52bc9a6c6dd1f.pdf
    • https://static.usrfiles.com/ugd/b8c837_c17d130facb3441690e2030855741e61.pdf
    • https://cdn.shopify.com/s/files/1/0465/1584/7326/files/metal_gear_solid_3_ps2_iso.pdf
    • https://cdn.shopify.com/s/files/1/0434/9162/3074/files/kml_to_csv.pdf
    • https://cdn.shopify.com/s/files/1/0437/4020/1109/files/jinibizadezoxuvanidam.pdf
    • https://cdn.shopify.com/s/files/1/0428/1368/5927/files/8609396789.pdf
    • https://cdn.shopify.com/s/files/1/0429/9636/7511/files/30772783847.pdf
    • https://cdn.shopify.com/s/files/1/0429/6726/9532/files/zemofebom.pdf
    • https://cdn.shopify.com/s/files/1/0430/6350/9143/files/cali_move_workouts_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/6113/2962/files/61100210405.pdf
    • https://cdn.shopify.com/s/files/1/0432/1270/1860/files/49391207404.pdf
    • https://cdn.shopify.com/s/files/1/0437/5022/8119/files/iis_application_request_routing_arr.pdf
    • https://cdn.shopify.com/s/files/1/0429/7303/6697/files/38291473755.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000692c.bin
6ff7e40b7ea97b288133e13125feba69ca8c80d9fd30904b95b0e8a79d25df7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x692C 5312 bytes
font_01_sfnt_off00007b23.bin
e6db41699e55b85c084230d94dce28e1e863cc98f2faed170243d39d5438c058		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B23 9752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.