Malicious PDF — malware analysis report

Static analysis result for SHA-256 59ae50b48660a625…

MALICIOUS

PDF

47.3 KB Created: 2020-08-20 04:59:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 58e67c9ccfd75973f2d1250c13916b94 SHA-1: 8b312d7c55a675307ec697ac6f9c544b3cec62dc SHA-256: 59ae50b48660a625b5120a202884bb076d8c123f2c23726f3103323b9b55ea69
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm designed to redirect users to malicious infrastructure, specifically identified by the 'ttraff.com' redirector. The document body, though heavily obfuscated, contains the URL that is also present in the heuristics, indicating a deliberate attempt to lure users to this malicious site. The presence of numerous links to external PDFs, many hosted on Shopify, suggests a tactic to obscure the malicious redirector behind seemingly benign content. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=bridge+to+terabithia+screenplay+pdf
    • http://files.ohioyarn.com/uploads/1/3/1/3/131398555/7a41a8a63277.pdf
    • http://mekebexo.livingfaithbc.net/uploads/1/3/1/4/131438397/3943010.pdf
    • http://files.losangelesspacover.com/uploads/1/3/1/8/131857334/8aae92972cf.pdf
    • https://cdn.shopify.com/s/files/1/0432/8944/4510/files/90352872286.pdf
    • https://cdn.shopify.com/s/files/1/0434/9621/0594/files/53323269930.pdf
    • https://cdn.shopify.com/s/files/1/0461/8944/5283/files/facebook_ipo_roadshow_presentation.pdf
    • https://cdn.shopify.com/s/files/1/0431/3694/2234/files/55543379776.pdf
    • https://cdn.shopify.com/s/files/1/0432/5618/4992/files/49674945176.pdf
    • https://cdn.shopify.com/s/files/1/0428/2174/6847/files/pevewipajavis.pdf
    • https://cdn.shopify.com/s/files/1/0432/2400/6820/files/jadudopikozekoguwul.pdf
    • https://cdn.shopify.com/s/files/1/0434/7995/7669/files/lettre_de_motivation_en_anglais_pour_universit.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007a5d.bin
82b0c4cdcf6c1cb264eab9a0b2aebbb13f24812115fe4be35b63db7c5e385b6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A5D 5708 bytes
font_01_sfnt_off00008dba.bin
3de54a69ccb9dc5886ee4f122c689a355084bd213b6e92d9dbf0908b5cdb620d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DBA 10136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.