Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a450b1333d57826…

MALICIOUS

PDF

42.5 KB Created: 2020-08-24 13:17:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f2f7140df66d482e1bf5105d4b179ac8 SHA-1: a4154a2ef80f9ded24f8d18a1ac57bd609f56a67 SHA-256: 3a450b1333d57826b11259645c45c7c4fa17f669729fa79279840c52434c39dd
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a fake CAPTCHA lure, designed to trick users into clicking on embedded links. One of these links, https://ttraff.ru/pify?keyword=toxicwap.+com+full+movies, points to known malicious redirector infrastructure. The document also functions as a link farm, hosting numerous external PDF files, many of which are hosted on Shopify domains.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=toxicwap.+com+full+movies
    • http://files.maxxpeak.com/uploads/1/3/0/8/130874233/gexel.pdf
    • http://kasiniv.overcomeporn.org/uploads/1/3/0/7/130740434/2484958.pdf
    • https://cdn.shopify.com/s/files/1/0437/7319/8497/files/48838867612.pdf
    • https://cdn.shopify.com/s/files/1/0434/7386/2808/files/zapexo.pdf
    • https://cdn.shopify.com/s/files/1/0433/2906/1032/files/ig323_400_mg.pdf
    • https://cdn.shopify.com/s/files/1/0451/2422/3141/files/prevention_of_occupational_hazards.pdf
    • https://cdn.shopify.com/s/files/1/0433/9128/7461/files/ronixuraboludegorukuv.pdf
    • https://cdn.shopify.com/s/files/1/0437/7001/9994/files/bruce_lee_my_brother_movie.pdf
    • https://cdn.shopify.com/s/files/1/0460/9703/9524/files/lumabokanegevuroxi.pdf
    • https://cdn.shopify.com/s/files/1/0432/0778/6657/files/dufiregod.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/kusamusa.pdf
    • https://cdn.shopify.com/s/files/1/0430/0151/2090/files/88492308473.pdf
    • https://cdn.shopify.com/s/files/1/0431/4336/4759/files/segimav.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c61.bin
370e5b79524101087493a46990e63a36a811a6732b4fc2559d2ebba1465bf4ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C61 4964 bytes
font_01_sfnt_off00006d67.bin
f78c6f3bb6fb8b3cb39654bc34ca045c7e3616b730b7092df91ff6ce170b4f12		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D67 9896 bytes
font_02_sfnt_off00008f55.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F55 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.