Malicious PDF — malware analysis report

Static analysis result for SHA-256 35b61d5aa449fdc3…

MALICIOUS

PDF

36.2 KB Created: 2020-09-17 07:45:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c5813c1da1f8e0cfdd0c1c358c4f2096 SHA-1: ffdf8d299eb5d4c6a8c6cae21cfb412073e7788b SHA-256: 35b61d5aa449fdc3a0502ef6a40e9150a5953a1b1e0537ba36191a4f4527a55c
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm and a lure suggesting a change in payment instructions, a common Business Email Compromise tactic. The primary malicious link, https://ttraff.me/wix?keyword=dr+metoyer+bossier+city+la, is likely intended to redirect the user to a phishing or malware-hosting site. The presence of numerous other PDF links, many hosted on Shopify, suggests an attempt to obscure the malicious intent and potentially leverage benign-looking domains for distribution.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=dr+metoyer+bossier+city+la
    • http://sadugusok.opticalspy.com/uploads/1/3/1/1/131164439/141806.pdf
    • http://files.pegasus-software.co.uk/uploads/1/3/0/9/130969873/be513a9d8e39.pdf
    • http://files.enmassepodcast.com/uploads/1/3/1/3/131379276/pusef.pdf
    • http://files.floridatennismagazine.com/uploads/1/3/0/8/130874658/dukulugatu-bebam-xuvavojeli.pdf
    • https://cdn.shopify.com/s/files/1/0432/1430/7496/files/mojogewofusatakimaxegi.pdf
    • https://cdn.shopify.com/s/files/1/0437/1221/7241/files/cdc_im_injection_guideline.pdf
    • https://cdn.shopify.com/s/files/1/0434/5934/6582/files/13010404078.pdf
    • https://cdn.shopify.com/s/files/1/0461/1476/7012/files/kexaviw.pdf
    • https://cdn.shopify.com/s/files/1/0440/2321/8341/files/trane_xl90_manual.pdf
    • https://cdn.shopify.com/s/files/1/0435/5283/3687/files/ielts_reading_answer_sheet_british_council.pdf
    • https://cdn.shopify.com/s/files/1/0433/9597/3271/files/fikipulizodotetakoba.pdf
    • https://fc3062ff-fe48-4bd3-bbe2-6a1a2307ad7e.filesusr.com/ugd/3c8574_8462c6359ba8417b906fcb91e8830e5f.pdf?index=true
    • https://6b1c1404-0863-4c3f-b3bd-7082b1e290d9.filesusr.com/ugd/8a9bcc_93b68a5e298b48d0acde1f3b44b849dd.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e13.bin
cb586593f202411c4ee71aff67ced1f496f7acb27f949af0e8dcc04b69aa3b7f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E13 5188 bytes
font_01_sfnt_off00005fad.bin
33b991179a32d5a1728580a8907bb2f0199768051258641f22d8fda7d65f0251		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FAD 10328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.