Malicious PDF — malware analysis report

Static analysis result for SHA-256 75fab92c78dc40e3…

MALICIOUS

PDF

49.9 KB Created: 2020-08-14 18:17:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6e752b44fe35eb561a53cd0ad03500a2 SHA-1: 5d1cb0d02410c3b635fdd8230abd2a80f936a960 SHA-256: 75fab92c78dc40e31ce4de0b3d3c5d36ce6e7df0dc8ca45a4da3adc5a6736a5f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to redirect users to malicious content, specifically disguised as a download for 'Whatsapp mac 10. 7. 5'. The primary malicious URL identified is https://ttraff.cc/pify?keyword=whatsapp++mac+10.+7.+5, which is part of a known redirector infrastructure. The document body, though heavily obfuscated, contains references to this lure and the malicious URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=whatsapp++mac+10.+7.+5
    • http://punakere.italianstonedesign2018.com/uploads/1/3/2/6/132695925/namexeluxad.pdf
    • https://cdn.shopify.com/s/files/1/0430/6409/8970/files/rokuduz.pdf
    • https://cdn.shopify.com/s/files/1/0432/6621/2003/files/nanusiruturulurokofope.pdf
    • https://cdn.shopify.com/s/files/1/0437/8601/0776/files/jamberry_application_instructions.pdf
    • https://cdn.shopify.com/s/files/1/0432/9635/8565/files/xomikodira.pdf
    • https://cdn.shopify.com/s/files/1/0431/5499/7402/files/sevupufemapos.pdf
    • https://cdn.shopify.com/s/files/1/0430/4732/1751/files/64397241314.pdf
    • https://cdn.shopify.com/s/files/1/0438/6878/2757/files/76216591018.pdf
    • https://cdn.shopify.com/s/files/1/0431/0581/2633/files/54485943011.pdf
    • https://cdn.shopify.com/s/files/1/0430/0118/4417/files/zitalaxupilegotaku.pdf
    • https://cdn.shopify.com/s/files/1/0434/1714/1415/files/tarobugo.pdf
    • https://cdn.shopify.com/s/files/1/0431/6063/3504/files/47144076419.pdf
    • https://cdn.shopify.com/s/files/1/0430/7881/1810/files/55183974281.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008430.bin
45627e3204cf3160b70483e80bdda01ca2814e8d8a0310b28b1a7089da1b1ffb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8430 5488 bytes
font_01_sfnt_off000096d9.bin
fe91ebac72a60e2c8596390de4f07068b1bb3dcc2d956601cd25e87bc6ec6bf3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x96D9 10420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.