Malicious PDF — malware analysis report

Static analysis result for SHA-256 338fc1b14e5780d1…

MALICIOUS

PDF

57.0 KB Created: 2020-08-14 16:54:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e3b0c5c66789f3a9f6a55eeb3861a932 SHA-1: 8f9e478dc2320eb8ea5f23416dd2b9db83275714 SHA-256: 338fc1b14e5780d13d8419e22f61e340c3cf7879b8b7e76e2d3072de213c1119
202 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.003 Command and Scripting Interpreter: Windows Command Shell T1059.001 Command and Scripting Interpreter: PowerShell

The PDF contains a malicious redirector link to 'ttraff.ru' and a mass external PDF link farm hosted on Shopify. The document body also contains instructions that lure the user into copying and pasting content into a command-line interface or installing a browser extension, indicating a social-engineering attack. The primary intent appears to be directing the user to malicious infrastructure via the embedded links.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=atom+ide+php
    • http://tikepum.celebrityartbypam.com/uploads/1/3/0/7/130739664/gesebaviruloxi.pdf
    • http://losedate.itsnotstreaming.com/uploads/1/3/1/4/131406799/1446019.pdf
    • http://wenup.mynxbeautybar.ca/uploads/1/3/0/7/130776644/4509652.pdf
    • http://files.insurancesolutionspb.com/uploads/1/3/0/7/130739719/2984458f4af.pdf
    • https://cdn.shopify.com/s/files/1/0432/7846/7222/files/defama.pdf
    • https://cdn.shopify.com/s/files/1/0435/5863/3627/files/jivefeme.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/28821374719.pdf
    • https://cdn.shopify.com/s/files/1/0431/1891/9837/files/2988577311.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vabagibad.pdf
    • https://cdn.shopify.com/s/files/1/0432/1338/9992/files/teacher_classroom_management_strategies.pdf
    • https://cdn.shopify.com/s/files/1/0430/6088/7705/files/kozedavirogikubelop.pdf
    • https://cdn.shopify.com/s/files/1/0434/1989/3927/files/pantangi_at_pambalana_worksheet_grade_1.pdf
    • https://cdn.shopify.com/s/files/1/0431/0840/1316/files/antigona_zig_zag.pdf
    • https://cdn.shopify.com/s/files/1/0443/4133/0076/files/agriculture_biologique_maroc.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e48.bin
5a6f016e9314441d27b8d2fafb4cfa94c807b603632548aa75d88869642f142d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E48 4352 bytes
font_01_sfnt_off00007d0d.bin
79329f40b08e3ecbd26d2e8e957e465860f02c8983120044712ee818d5853607		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D0D 4120 bytes
font_02_sfnt_off00008d05.bin
685ef94acdf13be638375f3c9be88dfd3473ca6acdfcb36ec2a69bd89c95e649		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D05 10364 bytes
font_03_sfnt_off0000b0b4.bin
71b35b55ea6a0a4acc6b170c56ac168ce74a5ec05db124705a243368ec2e62fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB0B4 17372 bytes
font_04_sfnt_off0000c8a2.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC8A2 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.