Malicious PDF — malware analysis report

Static analysis result for SHA-256 7aaac1c498cce3d1…

MALICIOUS

PDF

50.4 KB Created: 2020-08-23 05:48:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 38bc5993ad89b03a9bb47a8f5aa16ea1 SHA-1: 9a149dfa558648c8285663034245d8cf965b1147 SHA-256: 7aaac1c498cce3d1cb0a7db6249d40dc4d474079124c67e6b85532077627e56c
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a mass external link farm, with many links pointing to shopify.com domains and a critical redirector link to ttraff.com. The document explicitly requests sensitive recovery secrets, indicating a phishing attempt. The presence of a malicious redirector suggests the intent is to lead the user to a site that may steal credentials or deliver further malware.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=firebase+sdk+android
    • http://zetilom.labour4bromley.org/uploads/1/3/1/6/131606552/954727be5316.pdf
    • http://files.cwa3112.org/uploads/1/3/2/6/132695465/9044716.pdf
    • http://files.graycoolingman.com/uploads/1/3/0/8/130874627/9e8f1f36e15075.pdf
    • http://files.toralconsulting.com/uploads/1/3/0/7/130775732/6a26d23286b0c6.pdf
    • https://cdn.shopify.com/s/files/1/0437/0094/5048/files/lefobiwovukitit.pdf
    • https://cdn.shopify.com/s/files/1/0430/7373/2768/files/nudupoxo.pdf
    • https://cdn.shopify.com/s/files/1/0431/8098/2436/files/miwifoluv.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tefukina.pdf
    • https://cdn.shopify.com/s/files/1/0432/3137/9619/files/73137308457.pdf
    • https://cdn.shopify.com/s/files/1/0427/5296/6812/files/gudaxifadememijineke.pdf
    • https://cdn.shopify.com/s/files/1/0434/8831/3506/files/14555617396.pdf
    • https://cdn.shopify.com/s/files/1/0430/7881/1810/files/8454161499.pdf
    • https://cdn.shopify.com/s/files/1/0429/8817/5513/files/rukobaronafimuxuwes.pdf
    • https://cdn.shopify.com/s/files/1/0432/8407/0558/files/aromatic_substitution_reaction.pdf
    • https://cdn.shopify.com/s/files/1/0436/9724/2280/files/54055856404.pdf
    • https://cdn.shopify.com/s/files/1/0432/5657/8212/files/adobe_livecycle_designer_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008796.bin
f8f468b479e9080b64100dc5ed3051738fcabb510556cfaeb49e5d7d40a9b29d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8796 4948 bytes
font_01_sfnt_off0000986c.bin
55b1bce788ccd985c9bfaa00cf72c69ce4d5d6fc487640106ac13797dc247105		 pdf-font-stream PDF embedded font (sfnt) at offset 0x986C 10668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.