Malicious PDF — malware analysis report

Static analysis result for SHA-256 2eeb11f97e134d23…

MALICIOUS

PDF

46.1 KB Created: 2020-08-10 22:28:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 41b71e2697488dba355d8cf975f84dfa SHA-1: 6cc8efe94e4554b575e6b5aaeef3a99a3dd3c209 SHA-256: 2eeb11f97e134d234d939fe82f5c008ce00ee2507c2e6f865a36f9b6a6abf8e2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=employee+letter+format+pdf'. This indicates the document is designed to lure users to a malicious site. The document body also contains numerous embedded URLs, many of which point to Shopify domains hosting other PDFs, suggesting a link farm or content distribution network used to obscure the ultimate malicious destination. The primary malicious IOC is the redirector URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=employee+letter+format+pdf
    • http://files.hounslowpensionersforum.org/uploads/1/3/1/3/131398504/relixilapuwamutiw.pdf
    • http://files.thetotalplayer.co.uk/uploads/1/3/1/4/131438464/4701535.pdf
    • http://files.friendchristianassembly.com/uploads/1/3/0/7/130775916/sifurob.pdf
    • http://files.kumbalekguitars.com/uploads/1/3/1/6/131606533/jepuzidur-toxuzelozibegiw-vonanesedimetuj.pdf
    • https://cdn.shopify.com/s/files/1/0440/0332/8150/files/supply_chain_management_sunil_chopra.pdf
    • https://cdn.shopify.com/s/files/1/0433/9535/0684/files/90077029510.pdf
    • https://cdn.shopify.com/s/files/1/0429/7264/3491/files/6247188759.pdf
    • https://cdn.shopify.com/s/files/1/0433/0071/6694/files/nowitefesowugimadane.pdf
    • https://cdn.shopify.com/s/files/1/0440/3000/1302/files/pidososewo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/tevedizulav.pdf
    • https://cdn.shopify.com/s/files/1/0428/6975/1967/files/alyssa_carson_book.pdf
    • https://cdn.shopify.com/s/files/1/0428/8207/2739/files/ziratuletizadapiluli.pdf
    • https://cdn.shopify.com/s/files/1/0431/2491/6388/files/5226802615.pdf
    • https://cdn.shopify.com/s/files/1/0432/5461/2123/files/64420152513.pdf
    • https://cdn.shopify.com/s/files/1/0433/7077/4693/files/11343622639.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/34530012154.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000076a1.bin
3723a7c83eac2dccffbbea12eb82754a3374c3626f32554e6d82a121ea19284e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76A1 5068 bytes
font_01_sfnt_off000087d3.bin
67a9d520908724c9ed6acb5207fb603c039e14f9e894810e9059b07f76ae2c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87D3 10372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.