Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f87a2d352b2c6f7…

MALICIOUS

PDF

48.5 KB Created: 2020-09-03 05:12:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4644c0cbfdfdded23b9f9cadc9b86010 SHA-1: 175fd27a992f6881b208cd08e69700cf53f980bc SHA-256: 2f87a2d352b2c6f712dead672b259d99483a3d4b1338d7a93583a11303db15e0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, directing users to 'ttraff.club'. Additionally, it exhibits characteristics of a link farm, embedding numerous external PDF links, many hosted on Shopify. The document body, though heavily obfuscated, contains the same malicious URL and benign-looking PDF titles, suggesting a lure to disguise the malicious intent. The primary attack pattern involves tricking users into clicking the malicious link, likely leading to further compromise.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=define+linear+transformation+of+vector+space
    • https://cdn.shopify.com/s/files/1/0429/4246/4166/files/arduino_for_dummies_espaol.pdf
    • https://cdn.shopify.com/s/files/1/0433/7346/1660/files/momefojigojid.pdf
    • https://cdn.shopify.com/s/files/1/0427/8022/9791/files/69317303423.pdf
    • https://static.usrfiles.com/ugd/b8c837_498797f69b75420b9030a21ffcf375ea.pdf
    • https://cdn.shopify.com/s/files/1/0434/2287/5813/files/rafopubevonejed.pdf
    • https://cdn.shopify.com/s/files/1/0436/5107/2153/files/whitetail_deer_wall_paper.pdf
    • https://cdn.shopify.com/s/files/1/0427/9664/6556/files/tusewusarojisopazisojawe.pdf
    • https://cdn.shopify.com/s/files/1/0434/4204/5090/files/86298638553.pdf
    • https://cdn.shopify.com/s/files/1/0431/8897/7813/files/84310254017.pdf
    • https://cdn.shopify.com/s/files/1/0430/9326/2487/files/91735758825.pdf
    • https://cdn.shopify.com/s/files/1/0428/7745/2454/files/1704390571.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006964.bin
c578319575dc736608d70a185f35d6c9094fc956aec28d9dbee39025cbf101f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6964 6060 bytes
font_01_sfnt_off00007e46.bin
3edd909e5fc3b40783aff6cc00c51b58b85bffb6084e6ec743d1d18f68a3a0d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E46 5220 bytes
font_02_sfnt_off00009006.bin
e104bb19d5522e9d026f747668abb127ff0dc0cd43b19bbebcabf91ccd3c5172		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9006 10716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.