Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ed6297a0ab49f11…

MALICIOUS

PDF

53.4 KB Created: 2020-08-22 10:14:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 49fbfca7bd02b47c4b4b09bfaf21aec8 SHA-1: 20190b99be220ffe8d47b1746003e5341e005bf0 SHA-256: 3ed6297a0ab49f11392a945e9dba2758e6faa77277293c3bc44089ca6140b7fd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.com, which is disguised with a keyword related to a film song. This suggests a phishing or malware distribution attempt. The file also contains a large number of embedded links, many pointing to Shopify, which is characteristic of SEO poisoning or link farm tactics to obscure the malicious destination. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=bardasht+film+song+free
    • http://files.coaching-planet.com/uploads/1/3/0/9/130969971/8770037.pdf
    • http://pazoruta.smpwpr.com/uploads/1/3/0/8/130814328/7310364.pdf
    • http://files.foamsa.org/uploads/1/3/0/8/130813799/1783455.pdf
    • https://cdn.shopify.com/s/files/1/0434/7772/9432/files/94801148600.pdf
    • https://cdn.shopify.com/s/files/1/0437/1031/6694/files/bibenejozuwetevitiguzin.pdf
    • https://cdn.shopify.com/s/files/1/0429/5573/5199/files/69456979648.pdf
    • https://cdn.shopify.com/s/files/1/0438/7454/9928/files/simple_travel_agency_website_template.pdf
    • https://cdn.shopify.com/s/files/1/0434/4155/3575/files/89364655305.pdf
    • https://cdn.shopify.com/s/files/1/0432/1034/2563/files/wufitajumeruravamiwasidu.pdf
    • https://cdn.shopify.com/s/files/1/0433/2532/5465/files/sakugosevubilobi.pdf
    • https://cdn.shopify.com/s/files/1/0441/1519/8104/files/1814374173.pdf
    • https://cdn.shopify.com/s/files/1/0435/8062/0963/files/fozudelusugimamukoxefixi.pdf
    • https://cdn.shopify.com/s/files/1/0431/5794/6519/files/64232257765.pdf
    • https://cdn.shopify.com/s/files/1/0430/3834/3322/files/english_learning_sinhala.pdf
    • https://cdn.shopify.com/s/files/1/0441/2129/2952/files/63310016284.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000089a3.bin
781436fed89bdba36e3800ae992222646cddbb432b6a2a56a76a92633c834ac6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89A3 5368 bytes
font_01_sfnt_off00009bbd.bin
eab169c240df5eae11b8fb6504db4e57fe4583f44c00d2fa59967d0ba87f2590		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9BBD 14516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.