Malicious PDF — malware analysis report

Static analysis result for SHA-256 38217622ecb62a09…

MALICIOUS

PDF

57.9 KB Created: 2020-08-01 03:35:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 10d8aa16c22ab731400a93bd1f84abf7 SHA-1: fc6e0a5d838e431acafd6e83dbe3e262fcbfb09a SHA-256: 38217622ecb62a0921b3353c03831e2e9ad32f7a952411eec3b834b8f461dc73
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a malicious redirector link to 'ttraff.com' which is associated with malicious activity. It also features a large number of external PDF links, likely for SEO manipulation or to host further malicious content. The document body, though heavily obfuscated, contains the same redirector URL and references to Shopify PDF files, suggesting a lure to download further content. The presence of a 'Payment redirection / bank-detail change lure' heuristic indicates a likely business email compromise scenario.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=free+email+domain
    • http://files.mylenebaxterconsulting.com/uploads/1/3/0/7/130776416/6319479.pdf
    • http://files.cinkitchallenge.com/uploads/1/3/1/8/131857970/vuzixa_xozidedugosiru_kunoda_lopekulu.pdf
    • http://files.sharicookson.com/uploads/1/3/1/6/131637047/notegamaxi_xavun_dexirez_musipib.pdf
    • http://files.kristakorkiakoski.com/uploads/1/3/1/3/131379914/718eb338.pdf
    • http://files.bbq4hope.com/uploads/1/3/0/9/130969656/4a5d0bf.pdf
    • https://cdn.shopify.com/s/files/1/0427/5827/5238/files/38935527223.pdf
    • https://cdn.shopify.com/s/files/1/0438/6599/7472/files/27093676759.pdf
    • https://cdn.shopify.com/s/files/1/0437/5625/7441/files/luvurutoximalelibez.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/bodadajigewodozisidezufe.pdf
    • https://cdn.shopify.com/s/files/1/0428/3272/4124/files/86826489755.pdf
    • https://cdn.shopify.com/s/files/1/0429/3161/7945/files/sefamumeletimazibi.pdf
    • https://cdn.shopify.com/s/files/1/0440/7299/2918/files/13170085520.pdf
    • https://cdn.shopify.com/s/files/1/0431/6839/9524/files/nelovobunozimabewisomif.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/81603963226.pdf
    • https://cdn.shopify.com/s/files/1/0433/4790/2622/files/gurorat.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lofolevunukexus.pdf
    • https://cdn.shopify.com/s/files/1/0428/4976/3494/files/revuwixivi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a563.bin
16214b98a5249b87bf729256309f3efb1b908c9740669cccb88d447326afcbc4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA563 4748 bytes
font_01_sfnt_off0000b567.bin
f8d3d22b3bb62637cc862220106dbcf630d31b1f2df9510e3543ad2d95e30431		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB567 10992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.