Malicious PDF — malware analysis report

Static analysis result for SHA-256 332b9da6423414b9…

MALICIOUS

PDF

33.9 KB Created: 2020-08-24 09:30:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 660fce3365ebee0fc82807122394d79d SHA-1: 1cb9073880ca60596521e664d178e8e738ca40c1 SHA-256: 332b9da6423414b920073070e51d12aa207d3ce3ba925ead69e55e1b7dbc8d19
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with one URL pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'blood moon movie free' and the URLs suggest a lure for potentially malicious content. The primary malicious URL is https://ttraff.cc/pify?keyword=blood+moon+movie+free, which likely leads to further malicious content or malware download.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=blood+moon+movie+free
    • http://bafof.airfridgeaz.com/uploads/1/3/1/3/131398367/vexapisegaxejijoluna.pdf
    • https://cdn.shopify.com/s/files/1/0432/6660/5219/files/bomavitonenidagokosedu.pdf
    • https://cdn.shopify.com/s/files/1/0434/1337/3084/files/lolumimozutomarezabika.pdf
    • https://cdn.shopify.com/s/files/1/0431/8917/4432/files/wufaxovo.pdf
    • https://cdn.shopify.com/s/files/1/0427/8406/3654/files/denedomazakubunepuvawozen.pdf
    • https://cdn.shopify.com/s/files/1/0434/4361/7959/files/diretet.pdf
    • https://cdn.shopify.com/s/files/1/0448/0620/9702/files/87527651997.pdf
    • https://cdn.shopify.com/s/files/1/0434/7897/4626/files/good_reader_android_reddit.pdf
    • https://cdn.shopify.com/s/files/1/0433/6173/0719/files/35137426690.pdf
    • https://cdn.shopify.com/s/files/1/0435/4693/5460/files/kuxawunix.pdf
    • https://cdn.shopify.com/s/files/1/0431/4529/8077/files/kubernetes_in_action_epub.pdf
    • https://cdn.shopify.com/s/files/1/0431/7963/8942/files/kufunetunamumesajib.pdf
    • https://cdn.shopify.com/s/files/1/0437/6661/2130/files/5366740631.pdf
    • https://cdn.shopify.com/s/files/1/0431/6112/5013/files/antonyms_examples_list.pdf
    • https://cdn.shopify.com/s/files/1/0437/9715/1904/files/oxford_phonics_world_vk.pdf
    • https://cdn.shopify.com/s/files/1/0431/0204/4316/files/kawobekab.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000048e1.bin
cec7df19f516295a21028eadcb37c58506e7aa6a90841818ed6da112f24b07c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48E1 4776 bytes
font_01_sfnt_off0000590f.bin
da95184f016dad096a8ebcbb2667bb0ec20bab57ca868f3608907411b67740de		 pdf-font-stream PDF embedded font (sfnt) at offset 0x590F 9928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.