Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d504cb0a0178df9…

MALICIOUS

PDF

43.2 KB Created: 2020-08-01 22:31:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fe76b9b6ef9151d2294ca26a9bc791cf SHA-1: f02928bf928ed63207ec96a401cda3a2354c06ce SHA-256: 3d504cb0a0178df9ac3c241b44bd2d4e0a98bce7f893f76d2cf00af70d3bd10e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with a critical heuristic firing indicating a link farm pointing to a redirector. The primary redirector URL is 'https://ttraff.cc/pify?keyword=java+kill+process', which likely leads to a malicious payload. The document body contains garbled text but also includes the same redirector URL and several benign-looking Shopify URLs, suggesting an attempt to disguise the malicious intent through a large number of links. The presence of PDF-specific heuristics confirms the malicious nature of the document's linking strategy.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=java+kill+process
    • http://files.amyshomedaycare.com/uploads/1/3/0/9/130969683/lebajexazaxajedowu.pdf
    • http://files.brightstarastro.com/uploads/1/3/1/6/131606069/panozuvijakexo.pdf
    • http://files.purensimpleohio.com/uploads/1/3/2/7/132710689/jobivusi_xuvapubum.pdf
    • https://cdn.shopify.com/s/files/1/0429/2512/9894/files/verav.pdf
    • https://cdn.shopify.com/s/files/1/0429/1405/4300/files/73505583841.pdf
    • https://cdn.shopify.com/s/files/1/0448/4051/7792/files/add_path_to_bash_profile.pdf
    • https://cdn.shopify.com/s/files/1/0434/5833/0786/files/lepagiponekevopelubuna.pdf
    • https://cdn.shopify.com/s/files/1/0427/4195/6775/files/13659460320.pdf
    • https://cdn.shopify.com/s/files/1/0435/2222/8379/files/zukag.pdf
    • https://cdn.shopify.com/s/files/1/0432/4848/4507/files/nogaxavavima.pdf
    • https://cdn.shopify.com/s/files/1/0428/9980/0217/files/4750523115.pdf
    • https://cdn.shopify.com/s/files/1/0429/9731/7783/files/gulutadag.pdf
    • https://cdn.shopify.com/s/files/1/0431/2832/4257/files/23726571631.pdf
    • https://cdn.shopify.com/s/files/1/0429/6825/2565/files/taratipusederap.pdf
    • https://cdn.shopify.com/s/files/1/0438/6521/1035/files/folazisogezomolipofifuno.pdf
    • https://cdn.shopify.com/s/files/1/0433/4052/9816/files/6069212889.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064d1.bin
ceeaee031d0df9fe1fbdd6c20d7eb76581edaeac89d51bb511c49f435cd5fa65		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64D1 5040 bytes
font_01_sfnt_off00007615.bin
615aac4c849e84122415ba5682a9899439b1a19a3396a7d44081620194729261		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7615 13204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.