Malicious PDF — malware analysis report

Static analysis result for SHA-256 54e85da93c6aa5cb…

MALICIOUS

PDF

70.1 KB Created: 2020-08-22 12:08:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5c39e0f7f28072c85f62c061cd679b77 SHA-1: 157bdf48d0193b4f9524ea4623dcb3a18e3b6081 SHA-256: 54e85da93c6aa5cb47926db35bb4906ca7f4f42b6f385770776e78e8001cfe76
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector at 'ttraff.com'. The document body, though heavily obfuscated, contains the same URL. This suggests a phishing or scam attempt where the user is tricked into clicking the malicious link, likely to download further malware or be directed to a fraudulent site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=centos+6.+7+minimal+64+bit
    • http://wuxifikos.designsbyshelagh.com/uploads/1/3/0/7/130775162/guvefasekuloxat-kesafiledoronat.pdf
    • http://fawivizuf.sdadata.org/uploads/1/3/2/6/132682347/mavebexinised.pdf
    • http://supiwon.the-nature-atelier.com/uploads/1/3/2/6/132682974/takotobabi.pdf
    • http://files.rkarimitherapy.com/uploads/1/3/1/4/131408169/rosalazon.pdf
    • https://cdn.shopify.com/s/files/1/0438/5246/4293/files/98902945624.pdf
    • https://cdn.shopify.com/s/files/1/0429/2768/5799/files/91830360437.pdf
    • https://cdn.shopify.com/s/files/1/0432/2584/1821/files/16138522604.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/9467339244.pdf
    • https://cdn.shopify.com/s/files/1/0428/9105/1164/files/convert_list_to_string_python.pdf
    • https://cdn.shopify.com/s/files/1/0438/2746/2301/files/cat_backhoe_operator_manual.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/nasodidupafulad.pdf
    • https://cdn.shopify.com/s/files/1/0431/8740/4968/files/fodakajizodit.pdf
    • https://cdn.shopify.com/s/files/1/0437/1136/5272/files/apigee_tutorial_for_beginners.pdf
    • https://cdn.shopify.com/s/files/1/0431/5466/9729/files/rumexasibuboj.pdf
    • https://cdn.shopify.com/s/files/1/0437/8938/5890/files/71165262209.pdf
    • https://cdn.shopify.com/s/files/1/0433/9888/9635/files/genewonatefogexigub.pdf
    • https://cdn.shopify.com/s/files/1/0431/7901/6360/files/43575895144.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce88.bin
e71fdab51caf31f692517f7cf6984e1b002bfaa11b078a2ff88202448549d8c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE88 5136 bytes
font_01_sfnt_off0000dff9.bin
d2f3a92b6f7bc72304f14ff1f56891e44cb6d2c81bb0226a5b27ddc699b47003		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDFF9 13584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.