Malicious PDF — malware analysis report

Static analysis result for SHA-256 473b6d2d71beb138…

MALICIOUS

PDF

47.5 KB Created: 2020-08-15 01:52:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 68f752a139fd3bf18e90e579d88aae76 SHA-1: 2b609c93f8d8a399c0d106073c18fb97a819aab8 SHA-256: 473b6d2d71beb1383a4ca74d27f3a3492dad33e5fca86ef66998d00e23b9e688
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-in

The PDF file was flagged for containing a malicious redirector link and a large number of external links, indicating a link farm. The primary malicious URL identified is 'https://ttraff.cc/pify?keyword=panorama+chaines+canalsat+pdf', which is likely used to redirect users to a malicious site. The document body, though heavily corrupted, contains references to the redirector URL and other PDF files hosted on Shopify, suggesting a lure to download further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=panorama+chaines+canalsat+pdf
    • http://files.okanaganayurveda.com/uploads/1/3/0/8/130814682/4479982.pdf
    • http://fatuzi.ivoryleaguepublishing.com/uploads/1/3/1/8/131856917/98360f5b20f8da.pdf
    • http://mijukuk.hrhgwenyfar.com/uploads/1/3/0/7/130776225/4176c.pdf
    • https://cdn.shopify.com/s/files/1/0435/6934/8763/files/vadorut.pdf
    • https://cdn.shopify.com/s/files/1/0430/5597/2501/files/86223998102.pdf
    • https://cdn.shopify.com/s/files/1/0427/9477/8791/files/47910952141.pdf
    • https://cdn.shopify.com/s/files/1/0431/4241/4493/files/midaw.pdf
    • https://cdn.shopify.com/s/files/1/0432/0477/1999/files/jevejazijuximututev.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mijafovaginidobu.pdf
    • https://cdn.shopify.com/s/files/1/0435/0276/4184/files/rcc_slab_reinforcement_details.pdf
    • https://cdn.shopify.com/s/files/1/0433/3636/8296/files/momita.pdf
    • https://cdn.shopify.com/s/files/1/0429/8761/8463/files/12528947894.pdf
    • https://cdn.shopify.com/s/files/1/0430/0341/2633/files/sevivasiviwodewefezunus.pdf
    • https://cdn.shopify.com/s/files/1/0432/4176/7072/files/tuletizadigemubepararaf.pdf
    • https://cdn.shopify.com/s/files/1/0431/9661/2768/files/13362861837.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006686.bin
81d6607b85661121f1d659ae97dfefb4ea76ff1d1d29574b72345dac9f55e952		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6686 5184 bytes
font_01_sfnt_off000077eb.bin
e9a23cddcc583c0bb290fc4d67701c13d7f4ae297c31648b77fd27bcd213c289		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77EB 13808 bytes
font_02_sfnt_off0000a338.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA338 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.