Malicious PDF — malware analysis report

Static analysis result for SHA-256 494db9870f87cc1d…

MALICIOUS

PDF

48.5 KB Created: 2020-07-28 17:43:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 81a4c2387942e0d28209160fcfde5818 SHA-1: 4d6e489cb9cb90482ebdfa2cb08f7660de4e2965 SHA-256: 494db9870f87cc1d488a3ff56fbdeaf7eb98b2709cae6860b2b83fba243a51df
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com', which is used in conjunction with a link farm technique. The document body, though heavily obfuscated, contains text related to a movie title and the PDF creation tool, suggesting a lure. The primary attack vector appears to be directing users to a malicious URL disguised as a movie download.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=aarambam+tamil+full+movie+single+part
    • http://files.sbufootball.net/uploads/1/3/1/3/131380966/fibakitupu.pdf
    • http://files.yamayasgift.com/uploads/1/3/0/8/130814058/d1129.pdf
    • http://files.phuketfishingcharters.net/uploads/1/3/1/0/131070597/gazupe-jupatikaj-mobonaro-xiwulite.pdf
    • http://files.hilltopangusfarm.com/uploads/1/3/1/4/131408086/dukanifixobizug-kogasidige-jobix-fisuzodogole.pdf
    • https://cdn.shopify.com/s/files/1/0433/5081/8969/files/53077716349.pdf
    • https://cdn.shopify.com/s/files/1/0431/1659/3312/files/33943390617.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/jatud.pdf
    • https://cdn.shopify.com/s/files/1/0433/8001/5262/files/80703189286.pdf
    • https://cdn.shopify.com/s/files/1/0432/4550/2626/files/vipigufupipugujuj.pdf
    • https://cdn.shopify.com/s/files/1/0433/5193/3078/files/juzoziziput.pdf
    • https://cdn.shopify.com/s/files/1/0430/6993/1671/files/rediz.pdf
    • https://cdn.shopify.com/s/files/1/0430/3981/7890/files/78284687886.pdf
    • https://cdn.shopify.com/s/files/1/0431/6617/1297/files/93591769678.pdf
    • https://cdn.shopify.com/s/files/1/0431/6774/4160/files/somojitejuzexenitiraniduk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000067cd.bin
eb2d90e899b9ad6410f91dcf745f4088c5d8457e35355a9f4288c67a31be92a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67CD 5292 bytes
font_01_sfnt_off000079ba.bin
e8c569b4787faa063f2ed947588a37dc586de5ab58b536ad860483f309affcf0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79BA 11408 bytes
font_02_sfnt_off00009fa5.bin
ebd2804bff382343e08f6a42dc45f69f4e794c08b23908ae60ba78ededae74b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9FA5 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.