Malicious PDF — malware analysis report

Static analysis result for SHA-256 45b114ab2e7f6b5c…

MALICIOUS

PDF

48.9 KB Created: 2020-09-07 22:44:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 242d5c0fc038778f08e0ecdb92787451 SHA-1: 9e9a4387698eaf70906273c8f4c80a98ddde276c SHA-256: 45b114ab2e7f6b5c04f7dfa9294b784fa81414a9998f1c2e0f32e1be02649d2f
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF document employs a social engineering lure, promising free sheet music to entice users to click on embedded links. One of these links, 'https://ttraff.link/wix?keyword=easy+free+sheet+music+for+piano+beginners', is identified as a malicious redirector. The document also contains a large number of other PDF links, many hosted on Shopify, suggesting a link farm for SEO manipulation or to obscure the malicious destination. The primary attack pattern involves tricking the user into visiting a malicious URL, which could lead to malware download or credential theft.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=easy+free+sheet+music+for+piano+beginners
    • https://cdn.shopify.com/s/files/1/0430/0885/2117/files/safudezedujejibupo.pdf
    • https://cdn.shopify.com/s/files/1/0465/3236/2390/files/cisco_ccna_voice_lab_manual.pdf
    • https://cdn.shopify.com/s/files/1/0430/0177/4233/files/vatotoxorij.pdf
    • https://cdn.shopify.com/s/files/1/0431/8494/7357/files/scratch_card_apk.pdf
    • https://cdn.shopify.com/s/files/1/0433/5036/0232/files/hagerman_national_wildlife_refuge_fishing_report.pdf
    • https://static.usrfiles.com/ugd/b8c837_ed5e262a66c34816884a5691be4fe99d.pdf
    • https://static.usrfiles.com/ugd/9b7d8a_ce675105cd0a411a8faf8c5fb171a560.pdf
    • https://static.usrfiles.com/ugd/01bc73_66536ec82f034909b242a2583ddec0be.pdf
    • https://static.usrfiles.com/ugd/1cfe37_acf09c757c9f461696a6c78679f85247.pdf
    • https://static.usrfiles.com/ugd/b8c837_d3eeb3ced771494d89cdb5f217548af8.pdf
    • https://cdn.shopify.com/s/files/1/0447/4830/8631/files/ryanair_boarding_pass_als.pdf
    • https://cdn.shopify.com/s/files/1/0438/2903/5158/files/downloading_ios_8._3.pdf
    • https://cdn.shopify.com/s/files/1/0431/5286/7477/files/tivaxigowexotelejeneti.pdf
    • https://cdn.shopify.com/s/files/1/0440/6909/3541/files/harley_davidson_sportster_owners_manual.pdf
    • https://static.usrfiles.com/ugd/5926b4_b86f9d2902774672b4efa0603781fd63.pdf
    • https://static.usrfiles.com/ugd/b8c837_473a88f600f445a1aba8ba4fff4a6b36.pdf
    • https://static.usrfiles.com/ugd/1d64af_165735b2695e4cb29e70f07e36c482ae.pdf
    • https://static.usrfiles.com/ugd/ced2dc_95ec24a6821247ae891c4aaf513555c3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071e0.bin
bef4c9ed527651d3bf802e0d46cacfdbd8ec9abc100a454e1ad8702e751551f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71E0 5480 bytes
font_01_sfnt_off0000845d.bin
a79d7201d4a40e8da3ff107dbc875c6b1e8cb6ddbc181c1367dad05b771bfd0c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x845D 10556 bytes
font_02_sfnt_off0000a86d.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA86D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.