Malicious PDF — malware analysis report

Static analysis result for SHA-256 422774243b4d79e5…

MALICIOUS

PDF

69.7 KB Created: 2020-08-05 07:40:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c54bb5bdb856714a6340ea6634dd4a24 SHA-1: 6e78aff95d1671f5f8e734b5ba0204c80e00051a SHA-256: 422774243b4d79e53d2c8905d216341cf479edc28c49964b0e7d95fe5ae50017
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.001 Malicious Link

The PDF contains a link to a known malicious redirector, ttraff.com, which is designed to lure users into clicking through to malicious content. The document body, though heavily obfuscated, contains the target URL and suggests an urgency lure, aligning with social engineering tactics. The presence of numerous external links, many hosted on Shopify, indicates a link farm strategy to improve SEO for malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=enterprise+architect+patterns+pdf
    • http://files.chemistryindustry.biz/uploads/1/3/0/7/130776131/e4568fec9.pdf
    • http://files.color2create.com/uploads/1/3/2/6/132682919/2667bc073.pdf
    • http://files.lakeoriontheatre.org/uploads/1/3/0/7/130776407/libeberufer.pdf
    • https://cdn.shopify.com/s/files/1/0431/2452/3159/files/64700382452.pdf
    • https://cdn.shopify.com/s/files/1/0438/4302/7104/files/9066618567.pdf
    • https://cdn.shopify.com/s/files/1/0431/1321/8199/files/37867767526.pdf
    • https://cdn.shopify.com/s/files/1/0433/9240/1566/files/bank_note_press_recruitment_2020.pdf
    • https://cdn.shopify.com/s/files/1/0434/5852/7397/files/76514762606.pdf
    • https://cdn.shopify.com/s/files/1/0432/0867/1394/files/29538464243.pdf
    • https://cdn.shopify.com/s/files/1/0437/9607/0549/files/durogibepedepozed.pdf
    • https://cdn.shopify.com/s/files/1/0428/3655/7987/files/40448236351.pdf
    • https://cdn.shopify.com/s/files/1/0431/9143/5422/files/20604720305.pdf
    • https://cdn.shopify.com/s/files/1/0431/1325/0972/files/fadego.pdf
    • https://cdn.shopify.com/s/files/1/0431/7272/4897/files/totosojirelasokuma.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d303.bin
2008d8404db04612b97a4dd7d3a60b118f576ad85041233162310d662a1e25d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD303 5168 bytes
font_01_sfnt_off0000e48e.bin
765cbd1292ee5b2a3d7d56bdf0683d9cf012c5d6623a88a147c54db3f59d6dd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE48E 10792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.