Malicious PDF — malware analysis report

Static analysis result for SHA-256 57d80bb6987a2950…

MALICIOUS

PDF

47.6 KB Created: 2020-07-30 21:48:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a4413281d02224b5fb6e9ddcbdadbc9 SHA-1: 3da293840aed2afd497ecca3290d67f012885e1a SHA-256: 57d80bb6987a29501a042480763f287afe85153cc480427c9759c1c7d3294edb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded links that redirect to a known malicious domain, ttraff.com. This indicates a phishing or malware distribution attempt. The document body, though heavily obfuscated, appears to contain keywords related to programming, likely as a lure. The presence of numerous external PDF links, many hosted on cdn.shopify.com, suggests a link farm or SEO poisoning tactic to improve search engine visibility for malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=java+programming+questions+on+classes+and+objects+pdf
    • http://files.executiveflightclub.com/uploads/1/3/0/8/130814397/lanulewovapiwod-darixafir.pdf
    • http://files.jimyangart.com/uploads/1/3/1/4/131407918/3158106.pdf
    • http://files.asapbwh.org/uploads/1/3/0/8/130874254/pezanipifugosiz.pdf
    • http://files.executiveflightclub.com/uploads/1/3/0/8/130814397/lanulewova
    • https://cdn.shopify.com/s/files/1/0428/4334/0956/files/31356457573.pdf
    • https://cdn.shopify.com/s/files/1/0437/9423/5553/files/redulokodukaragejovel.pdf
    • https://cdn.shopify.com/s/files/1/0432/4311/0555/files/35835448304.pdf
    • https://cdn.shopify.com/s/files/1/0431/0574/7095/files/jelotesar.pdf
    • https://cdn.shopify.com/s/files/1/0429/9682/6273/files/nusuwotawizaweboli.pdf
    • https://cdn.shopify.com/s/files/1/0435/3854/6840/files/toluguxumibelazivifep.pdf
    • https://cdn.shopify.com/s/files/1/0437/3564/6357/files/21912557281.pdf
    • https://cdn.shopify.com/s/files/1/0432/7673/0533/files/26783981228.pdf
    • https://cdn.shopify.com/s/files/1/0431/0378/1013/files/25418767167.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/31082235151.pdf
    • https://cdn.shopify.com/s/files/1/0431/0378/1013/files/lulidovewowu.pdf
    • https://cdn.shopify.com/s/files/1/0437/4193/7818/files/53537081162.pdf
    • https://cdn.shopify.com/s/files/1/0430/3863/8241/files/norafowu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007b45.bin
fbd877c28a9dd0820525d992ce47fa25f75c56aa8f60b3fa18644db8f382cb69		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B45 5748 bytes
font_01_sfnt_off00008eb4.bin
929e74569cde8f15e94506282f48941a9fc01a58f9de75ce07909ea55f1f61b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EB4 10048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.