Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ef69e54170026f9…

MALICIOUS

PDF

78.6 KB Created: 2020-08-09 02:47:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9228dc1ef9e77deb7de8b8d2cfa80216 SHA-1: 67e5ac6e30b6de8ae8da6685ee982e7e370a6631 SHA-256: 3ef69e54170026f902ed838b00906744bb6d518885225224ebf189d42eb8a6cd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple links, with one critical heuristic identifying a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains a URL that appears to be the same as the one identified by the heuristic. This suggests the document's primary purpose is to redirect users to malicious content via the 'ttraff.cc' domain.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=metabolisme+vitamin+k+dalam+tubuh+pdf
    • http://files.ibmc-la.org/uploads/1/3/0/7/130776786/3944816.pdf
    • http://files.lifesurprisesyou.com/uploads/1/3/2/7/132710756/2066574.pdf
    • http://files.cancerimportant.com/uploads/1/3/0/7/130738662/siged.pdf
    • http://files.bunnytrailssoftware.com/uploads/1/3/1/4/131438324/zovaxesuzatawano.pdf
    • http://bujod.ninalyssephotography.com/uploads/1/3/1/4/131437508/fulawowukagunu.pdf
    • https://cdn.shopify.com/s/files/1/0435/7062/6723/files/nopafazotuju.pdf
    • https://cdn.shopify.com/s/files/1/0431/5768/4375/files/nakatevosubuzafa.pdf
    • https://cdn.shopify.com/s/files/1/0434/4158/6332/files/65857693777.pdf
    • https://cdn.shopify.com/s/files/1/0431/3258/4087/files/59428834698.pdf
    • https://cdn.shopify.com/s/files/1/0437/9879/0301/files/78522957669.pdf
    • https://cdn.shopify.com/s/files/1/0434/6563/8050/files/bepantol_soluo_bula.pdf
    • https://cdn.shopify.com/s/files/1/0438/8922/9979/files/dovesetavamubuti.pdf
    • https://cdn.shopify.com/s/files/1/0430/4168/5665/files/95167416054.pdf
    • https://cdn.shopify.com/s/files/1/0428/2331/9715/files/18719022620.pdf
    • https://cdn.shopify.com/s/files/1/0430/7494/5184/files/dafumusafowijogok.pdf
    • https://cdn.shopify.com/s/files/1/0434/3929/2577/files/livudamar.pdf
    • https://cdn.shopify.com/s/files/1/0431/0656/6306/files/93076140430.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f5eb.bin
c1988a7d82ed7b7f249209a7651403c4bda17a92ca881bec310bd79635349785		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF5EB 5452 bytes
font_01_sfnt_off0001085d.bin
e8710f8a11c84dcfee3b94e471b33d42727125b8ca08ca01c14ceaef3b61deda		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1085D 10996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.