Malicious PDF — malware analysis report

Static analysis result for SHA-256 355f4b59312617a1…

MALICIOUS

PDF

51.0 KB Created: 2020-07-20 07:50:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c6c3f753048a23fcfa56b73770c56862 SHA-1: 29e749785e6babd09c34101bbefecb04c7a75bc9 SHA-256: 355f4b59312617a19441bd2ae42ac3f3ba3270ef76032fd0e828596e6eff5d57
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=apple+itunes+mod+apk'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links to external PDFs, some of which are hosted on WordPress. The presence of a 'download button' heuristic further suggests a social engineering lure. No scripts were extracted, and the document body was heavily obfuscated, but the primary attack vector appears to be directing users to malicious infrastructure via deceptive links.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=apple+itunes+mod+apk
    • http://files.shiveringstringswest.com/uploads/1/3/1/6/131606878/7985821.pdf
    • http://files.brianjlucas.com/uploads/1/3/0/9/130969360/rilisilo_jibuxejetone_sagiral_lozigojo.pdf
    • http://files.alexandrabroches.com/uploads/1/3/1/3/131379759/zatorafedonafep_xaluliwobafam_mixoja.pdf
    • http://files.bluetrilliumdesigns.com/uploads/1/3/0/8/130813536/jomino_juxafudemi.pdf
    • http://files.topproductcomparisons.com/uploads/1/3/0/9/130969654/8697267.pdf
    • http://files.bluetrilliumdesigns.com/uploads/1/3/0/8/130813536/jomino_juxafude
    • https://fobigimi.files.wordpress.com/2020/06/84986370693.pdf
    • https://zujidifowuro.files.wordpress.com/2020/06/71096086589.pdf
    • https://gisajebide.files.wordpress.com/2020/07/79286564354.pdf
    • https://zupowakavix720341742.files.wordpress.com/2020/07/96199799186.pdf
    • https://sowijoz.files.wordpress.com/2020/07/80883408202.pdf
    • https://pofiwofuleb.files.wordpress.com/2020/06/59836665384.pdf
    • https://tijufujo.files.wordpress.com/2020/06/vajibaliviwelozagaguzob.pdf
    • https://cdn.shopify.com/s/files/1/0434/6245/9544/files/15115408112.pdf
    • https://cdn.shopify.com/s/files/1/0434/2834/8056/files/33364928155.pdf
    • https://cdn.shopify.com/s/files/1/0428/4963/2415/files/45568769738.pdf
    • https://cdn.shopify.com/s/files/1/0432/2800/4507/files/jopuki.pdf
    • https://cdn.shopify.com/s/files/1/0431/2065/6545/files/48898854543.pdf
    • https://cdn.shopify.com/s/files/1/0437/9348/1885/files/genelel.pdf
    • https://cdn.shopify.com/s/files/1/0432/6585/1542/files/fijusi.pdf
    • https://cdn.shopify.com/s/files/1/0430/7720/6165/files/81064007568.pdf
    • https://cdn.shopify.com/s/files/1/0432/2702/1480/files/pofijipipovodusulomuze.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000089c2.bin
5772becae7922621958c9372fceeb1d35b2ccd723e385d79550b0497e4ca1fa6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89C2 4944 bytes
font_01_sfnt_off00009a79.bin
0abb991426914333ab640ef93a11c38faae981a5a1e0da74692279d8b0c36cd7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A79 10572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.