Malicious PDF — malware analysis report

Static analysis result for SHA-256 480d566a6f2a1c40…

MALICIOUS

PDF

40.8 KB Created: 2020-09-01 12:02:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5269e788b5de092c2af045a26fe0dce5 SHA-1: 974415440edbde68e132c86cb4e0fca210ea8ce7 SHA-256: 480d566a6f2a1c401ef79418a2090b3cdb7f90a72c90016c19ac8c2f03260809
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a malicious redirector at https://ttraff.ru/wix?keyword=chips+movie++mp4, disguised with a seemingly innocuous keyword. This is combined with a large number of links to benign PDFs hosted on Shopify, likely as a form of SEO manipulation or to blend malicious links with legitimate ones. The document body itself is heavily obfuscated and contains the malicious URL, suggesting an attempt to deliver a payload or redirect the user to a phishing site. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=chips+movie++mp4
    • https://cdn.shopify.com/s/files/1/0445/8260/0868/files/19503393314.pdf
    • https://cdn.shopify.com/s/files/1/0429/6998/9279/files/35835553549.pdf
    • https://cdn.shopify.com/s/files/1/0432/9301/6232/files/46353422985.pdf
    • https://cdn.shopify.com/s/files/1/0433/1254/5950/files/63616481716.pdf
    • https://static.usrfiles.com/ugd/eb5a6a_ca5d0983f7244180a2f3af35cbba27f1.pdf
    • https://static.usrfiles.com/ugd/6846fe_204f1e957388447f98af5b41a2460acd.pdf
    • https://static.usrfiles.com/ugd/b8c837_c3cc08bbea914980af47646a1456721e.pdf
    • https://cdn.shopify.com/s/files/1/0436/8069/4437/files/spring_5_webflux_performance.pdf
    • https://cdn.shopify.com/s/files/1/0431/9870/9918/files/tofafuzimobuni.pdf
    • https://cdn.shopify.com/s/files/1/0427/9068/2783/files/spring_boot_microservices_interview_questions.pdf
    • https://cdn.shopify.com/s/files/1/0435/7727/8623/files/39641349760.pdf
    • https://static.usrfiles.com/ugd/0c4177_a80fc0bb218e47f9aa66ba04323a4da0.pdf
    • https://static.usrfiles.com/ugd/3e5d97_131e7ea88be54b7cbcfd3ee5728a1196.pdf
    • https://static.usrfiles.com/ugd/ea2f88_5ea9b9d065a1411c9770504e446e86d3.pdf
    • https://static.usrfiles.com/ugd/b8c837_b1be86f516ce4e37922b6e48ccd8e269.pdf
    • https://static.usrfiles.com/ugd/856cea_466997e40bcd4e0486ca3bca5f565df5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063a6.bin
0388b1d7050efb9036029af98c6e06a23d4b9f20c632e21a6a374d990b424c3a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63A6 4772 bytes
font_01_sfnt_off000073ca.bin
001e5c500c7e404a7fa30e5fd2ccb929b5b38cff634efca8ebff11ecac4dd237		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73CA 10240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.