Malicious PDF — malware analysis report

Static analysis result for SHA-256 3bfbfd07902aae66…

MALICIOUS

PDF

46.5 KB Created: 2020-08-05 17:35:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 484c176529eb17bed730b73fcbf7259c SHA-1: 2cb1d88536162638a700607c6e383954acaf9a71 SHA-256: 3bfbfd07902aae6624d61ec0b369732b50ca3ce71ebac50b152a523ab250603f
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, many hosted on Shopify. The presence of a 'SE_LOLBIN_RUN_COMMAND' heuristic suggests that the document may contain instructions for executing commands, likely to facilitate the redirection or further payload delivery. The document body, though heavily obfuscated, contains the malicious URL.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=beatriz+sarlo+libros+pdf+gratis
    • http://files.leducfarmersmarket.ca/uploads/1/3/1/4/131406806/petivegejisuzig.pdf
    • http://files.hia460eportfoliolizwilson.com/uploads/1/3/1/3/131379312/2604448.pdf
    • http://doruwuzib.rosenetwork.org/uploads/1/3/1/3/131380600/3572627.pdf
    • http://files.rafaelhohmann.com/uploads/1/3/1/3/131384589/rapibifeponubake.pdf
    • http://files.youarethesalt.org/uploads/1/3/2/6/132681812/xadulixoput.pdf
    • https://cdn.shopify.com/s/files/1/0432/9262/3013/files/34662701981.pdf
    • https://cdn.shopify.com/s/files/1/0428/0510/0707/files/95971446075.pdf
    • https://cdn.shopify.com/s/files/1/0428/0687/0183/files/69544591361.pdf
    • https://cdn.shopify.com/s/files/1/0431/5545/6149/files/wget_robots_off.pdf
    • https://cdn.shopify.com/s/files/1/0429/0736/9639/files/4869954698.pdf
    • https://cdn.shopify.com/s/files/1/0430/7006/2754/files/jijolovuzizemabuxe.pdf
    • https://cdn.shopify.com/s/files/1/0431/2819/3184/files/29952492966.pdf
    • https://cdn.shopify.com/s/files/1/0433/5806/0703/files/name_of_chess_pieces.pdf
    • https://cdn.shopify.com/s/files/1/0430/0318/3258/files/xinukanuzebezet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000073d4.bin
18048a4c08f633d2d9b554b4390096bcdb63a412856b41af62cab0eb6235138f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73D4 5448 bytes
font_01_sfnt_off00008670.bin
2f1efda468e8c85a755f1825fea4df54cd172794756a6d55267846cef777f19a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8670 11336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.