Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b28a29e9b86c0f2…

MALICIOUS

PDF

42.7 KB Created: 2020-08-04 21:29:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 532b3c581355a957b0855207b4211090 SHA-1: 88ddbcd0f59a26af3e8c7c8fa876af06641e43f4 SHA-256: 3b28a29e9b86c0f292a1e52c86658b7f4e92530fec2243b939e19cd80ba527e9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com, and one critical link points to a known malicious redirector at ttraff.cc. This indicates a social engineering attempt to direct users to malicious content. The document body, though heavily obfuscated, contains the URL that is also present in the heuristics and IOCs, suggesting it is the primary lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=advanced+english+dictionary+and+thesaurus+pdf
    • http://files.qibyq.com/uploads/1/3/2/6/132681392/lilofurudobi-zowive-sofoxopinob.pdf
    • http://files.mrhansas.com/uploads/1/3/1/3/131378771/mamifumul.pdf
    • http://files.hikaricreative.net/uploads/1/3/0/7/130739764/8723732.pdf
    • https://cdn.shopify.com/s/files/1/0431/8583/2096/files/laropubedinefeturini.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/51108684678.pdf
    • https://cdn.shopify.com/s/files/1/0435/0849/8591/files/92490435444.pdf
    • https://cdn.shopify.com/s/files/1/0434/1497/8718/files/krizz_kaliko_eyes.pdf
    • https://cdn.shopify.com/s/files/1/0431/6859/6123/files/zepawojox.pdf
    • https://cdn.shopify.com/s/files/1/0437/9312/1442/files/aluminium_alloys_standards.pdf
    • https://cdn.shopify.com/s/files/1/0431/6584/3620/files/canon_mx330_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/9418/7933/files/48622844574.pdf
    • https://cdn.shopify.com/s/files/1/0432/1089/9624/files/92203432475.pdf
    • https://cdn.shopify.com/s/files/1/0434/4024/2840/files/japare.pdf
    • https://cdn.shopify.com/s/files/1/0438/3513/0018/files/75071262924.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006844.bin
3409677a34b0d0fa1ec18f5dfd38fded42c7e9fe4e2313a8596b64b4328b50fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6844 5568 bytes
font_01_sfnt_off00007b3c.bin
36ddbece62c99a811b20114cd0e343c45bc1f9177f9b32c64e8d4cf285fdb36b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B3C 10040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.