Malicious PDF — malware analysis report

Static analysis result for SHA-256 5052cb0aadc986bd…

MALICIOUS

PDF

40.7 KB Created: 2020-08-21 15:15:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8402dee22a4757c71f886c1b61beffeb SHA-1: cebaae47370220bb5811f0c59e5e372b957b9c16 SHA-256: 5052cb0aadc986bdc0954af03efd61f1c960ee55b8039b60dc92160030f52c82
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to redirect users to malicious infrastructure, specifically to `https://ttraff.com/pify?keyword=bible+movies+mp4`. This indicates a social engineering attempt to lure victims through deceptive content. The document body, though heavily obfuscated, also contains references to this URL and numerous other PDF links hosted on `cdn.shopify.com`, suggesting a link-based redirection scheme.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=bible+movies+mp4
    • http://files.iamsterp.com/uploads/1/3/0/8/130813448/renumumodijo_rojofi_mosesesisinaze_tixamigesubeni.pdf
    • http://files.mylaurabelle.com/uploads/1/3/1/4/131438658/bagejutojukari.pdf
    • http://rupova.onlinemobiletrainer.com/uploads/1/3/2/7/132710621/8398970.pdf
    • http://ludedeses.lightlabint.com/uploads/1/3/2/8/132814930/kexuluzusefud.pdf
    • http://potud.mho-thevenue.com/uploads/1/3/1/4/131409090/4338608.pdf
    • https://cdn.shopify.com/s/files/1/0433/4885/2894/files/alto_sax_altissimo_finger_chart.pdf
    • https://cdn.shopify.com/s/files/1/0439/2737/1931/files/famuj.pdf
    • https://cdn.shopify.com/s/files/1/0432/0080/7074/files/xojefifi.pdf
    • https://cdn.shopify.com/s/files/1/0434/5095/7991/files/beginners_guitar_lessons.pdf
    • https://cdn.shopify.com/s/files/1/0429/7841/0655/files/19018463804.pdf
    • https://cdn.shopify.com/s/files/1/0431/7193/8453/files/jofuveda.pdf
    • https://cdn.shopify.com/s/files/1/0435/2029/5064/files/64169537343.pdf
    • https://cdn.shopify.com/s/files/1/0427/5752/1574/files/92520271326.pdf
    • https://cdn.shopify.com/s/files/1/0436/9947/0486/files/fatamukigidi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000061fa.bin
0ed9c2691f24a1b5576c447cf9e7e6a03cf7186f32482cc091bbb2394ed0d0fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61FA 4996 bytes
font_01_sfnt_off000072f6.bin
dcccdf3e935bd522dd75b63318a8f0c241102951ec86dcfa7e5fb7ddd8a8b6be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72F6 10384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.