Malicious PDF — malware analysis report

Static analysis result for SHA-256 43fb476a92818aac…

MALICIOUS

PDF

47.4 KB Created: 2020-08-20 20:41:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 58b15a00fcf1a0f4944d8b728c658eb1 SHA-1: 7b92366567eb3868bbe51eb4b23e11a6e5a85b28 SHA-256: 43fb476a92818aac2af62b27ea7ca4611aff18f5619c60868ee98ad53982201d
240 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains multiple heuristics indicating malicious intent, including a redirector link and a link farm. The document body explicitly mentions 'I forgot my gmail security question answer' and includes a URL that appears to be a lure for account recovery or phishing. The presence of numerous embedded links, many pointing to Shopify domains, suggests an attempt to obscure the ultimate destination or to create a link farm. The primary malicious URL identified is https://ttraff.com/pify?keyword=i+forgot+my+gmail+security+question+answer.

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=i+forgot+my+gmail+security+question+answer
    • http://fumup.amgcorporateoffices.com/uploads/1/3/1/4/131482995/bitejawa_godekirivor_dejatuxel.pdf
    • http://files.vivwalkerart.com/uploads/1/3/0/7/130738701/9228516.pdf
    • http://files.ketchikanwhales.com/uploads/1/3/1/4/131453456/telale_mimulodob_lumabedaditi.pdf
    • http://files.statedshowroom.com/uploads/1/3/1/0/131070212/3bf8e28a0cb60a.pdf
    • http://diweri.justcapsusa.com/uploads/1/3/2/8/132814930/rurobu_xejapixekiridal_zolufes_zujunopifoge.pdf
    • https://cdn.shopify.com/s/files/1/0431/1282/4993/files/notevifidesija.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/68876684382.pdf
    • https://cdn.shopify.com/s/files/1/0429/9646/5823/files/great_quotes_of_all_time.pdf
    • https://cdn.shopify.com/s/files/1/0432/2679/2093/files/99789993383.pdf
    • https://cdn.shopify.com/s/files/1/0433/2693/1099/files/alcohols_and_phenols_ncert.pdf
    • https://cdn.shopify.com/s/files/1/0441/3734/9272/files/journey_to_the_center_of_the_earth_full_book.pdf
    • https://cdn.shopify.com/s/files/1/0439/9906/8318/files/79622292576.pdf
    • https://cdn.shopify.com/s/files/1/0430/1117/8649/files/business_writing_tips.pdf
    • https://cdn.shopify.com/s/files/1/0447/7979/8679/files/givikakolagog.pdf
    • https://cdn.shopify.com/s/files/1/0433/6861/1996/files/kedojuvinigubutoxoloje.pdf
    • https://cdn.shopify.com/s/files/1/0434/8936/2082/files/tuvewo.pdf
    • https://cdn.shopify.com/s/files/1/0435/5974/7745/files/56820806623.pdf
    • https://cdn.shopify.com/s/files/1/0437/7113/4106/files/tasik.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e71.bin
9616d9131022c49775d4cbf3d65c86d4b2de1c4580a6b18311a635f0617b5789		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E71 5340 bytes
font_01_sfnt_off00008094.bin
1293a913e26f5e82d983346bd7254853e6cc11587e2aa1bd91cf5d6383d64e36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8094 9716 bytes
font_02_sfnt_off0000a1c3.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA1C3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.