Malicious PDF — malware analysis report

Static analysis result for SHA-256 4cd0e4151e238394…

MALICIOUS

PDF

54.7 KB Created: 2020-08-04 01:14:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 92dab6952ae4515433c5680f69e3c0be SHA-1: b7b7d274d77a833660c91b91185aa945d6a9a3f7 SHA-256: 4cd0e4151e2383945e41fd565b523b1b2c11655bf32bf79728d5c321f97cf26e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.cc, which is disguised as a trading strategy document. This redirector likely leads to a malicious payload or phishing page. The file also contains a large number of external links, many hosted on Shopify, which is characteristic of SEO spam or link farm techniques used to distribute malware.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bollinger+band+trading+strategy+pdf
    • http://files.sharonjoys.com/uploads/1/3/1/4/131438557/xojono_lixorozawid.pdf
    • http://files.loftconversionsderby.co.uk/uploads/1/3/1/8/131856039/dolijaxinivavaz-dubumonogadu-buxujogo-netuwamijukuna.pdf
    • http://files.irinakhromova.com/uploads/1/3/1/4/131406715/1499679.pdf
    • http://files.nehb.net/uploads/1/3/1/8/131857120/vipakovodunosu_sobafes_jotazim.pdf
    • https://cdn.shopify.com/s/files/1/0440/6794/6648/files/12784979804.pdf
    • https://cdn.shopify.com/s/files/1/0430/8441/5143/files/11827478420.pdf
    • https://cdn.shopify.com/s/files/1/0436/1378/2173/files/waxuxifuwopigeligexid.pdf
    • https://cdn.shopify.com/s/files/1/0440/8921/3093/files/zuwulofun.pdf
    • https://cdn.shopify.com/s/files/1/0432/4281/5643/files/troy_bilt_tb30r_manual.pdf
    • https://cdn.shopify.com/s/files/1/0432/2902/0317/files/16009030101.pdf
    • https://cdn.shopify.com/s/files/1/0430/3526/3138/files/85969211397.pdf
    • https://cdn.shopify.com/s/files/1/0431/7695/1957/files/80649162476.pdf
    • https://cdn.shopify.com/s/files/1/0431/6643/3435/files/43173147104.pdf
    • https://cdn.shopify.com/s/files/1/0430/9201/7305/files/remufofirifuduja.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0432/2902/0317/files/160090

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009686.bin
63ac7e8caa9f2994a6ce39e5ae4df66a0e852623eceab3c8319b74996f3d37b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9686 5500 bytes
font_01_sfnt_off0000a951.bin
365e0be15b7af896a6f138f84c6b6a77b416ce0a9f7c17627f808bedb72e0400		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA951 10632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.