Malicious PDF — malware analysis report

Static analysis result for SHA-256 4adf3a65d830f59c…

MALICIOUS

PDF

47.7 KB Created: 2020-08-08 19:25:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7bc59da42478ea990e1259e4e7ee4454 SHA-1: b0b15c4b081baa61023abbad7c626afd5a36bd69 SHA-256: 4adf3a65d830f59cf8991eca0db8cfb31b887ae6362508a5f3fbdbaf70543c62
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, suggesting a link farm or SEO poisoning tactic. One critical heuristic identified a link to a known malicious redirector, ttraff.com, which is likely the primary malicious payload delivery mechanism. The document body contains garbled text but includes the target URL, reinforcing the redirection attempt. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=assainissement+eaux+pluviales+pdf
    • http://files.kevinpollarddesign.com/uploads/1/3/1/6/131607712/nuwakisukigaj.pdf
    • http://files.teptu.com/uploads/1/3/2/7/132712072/9646547.pdf
    • http://files.ashleighlleiter.com/uploads/1/3/2/3/132302871/c0ae87371.pdf
    • https://cdn.shopify.com/s/files/1/0429/2067/3433/files/sensory_evaluation_of_food_principles_and_practices_download.pdf
    • https://cdn.shopify.com/s/files/1/0431/0266/6906/files/xetepuzepijaxorunux.pdf
    • https://cdn.shopify.com/s/files/1/0437/3712/0933/files/66288387925.pdf
    • https://cdn.shopify.com/s/files/1/0431/9690/7678/files/mujotobokimegubimoro.pdf
    • https://cdn.shopify.com/s/files/1/0429/5560/4134/files/rofofego.pdf
    • https://cdn.shopify.com/s/files/1/0428/2603/9463/files/77695453114.pdf
    • https://cdn.shopify.com/s/files/1/0434/7238/8249/files/netul.pdf
    • https://cdn.shopify.com/s/files/1/0429/5032/8486/files/cctv_training_manual_download.pdf
    • https://cdn.shopify.com/s/files/1/0431/2976/6039/files/gawexatasopuwafojewakimi.pdf
    • https://cdn.shopify.com/s/files/1/0433/7978/5891/files/16345700208.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/8861538602.pdf
    • https://cdn.shopify.com/s/files/1/0435/4385/5258/files/77732108638.pdf
    • https://cdn.shopify.com/s/files/1/0432/5592/2852/files/18126308406.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007a19.bin
07bf5cb7c45bd2b88ccc5155e165ad8392ac57076addfa6a9476e8ae763d029f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A19 5208 bytes
font_01_sfnt_off00008bcf.bin
8f24967b663c9b7f75261941328462327c3c8ed728d562a904b8f8e69b789bbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BCF 11636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.