Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b061c63d212a8c8…

MALICIOUS

PDF

45.3 KB Created: 2020-08-25 20:07:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1eaafac62a51d729f7a16fe37320cead SHA-1: 14920d1d0f710ed43c1e244d995fd8637579ea54 SHA-256: 7b061c63d212a8c827ebf9e82fda40cfcaac5497cf442ab0f36dedae4b6ab7f7
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a lure related to 'Nys llc filing fee' and includes a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links hosted on shopify.com, suggesting an attempt to obscure the final malicious destination. The document body, though partially corrupted, contains the malicious URL and other embedded links, indicating a social engineering attempt to redirect the user to malicious infrastructure.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=nys+llc+filing+fee
    • http://files.loisbrezinskiartworks.com/uploads/1/3/1/8/131857305/wavexudodasosutonana.pdf
    • http://files.holostherapies-edinburgh.com/uploads/1/3/0/7/130739809/porebotejeraj.pdf
    • http://bovor.idoislandweddings.com/uploads/1/3/0/9/130969515/xikakidirepi_fafitiwor_tatam.pdf
    • http://gozix.artlovesmath.com/uploads/1/3/1/3/131380042/zepuxexaxev.pdf
    • https://cdn.shopify.com/s/files/1/0440/3943/8501/files/zezokoma.pdf
    • https://cdn.shopify.com/s/files/1/0433/8050/6791/files/kikizopupavu.pdf
    • https://cdn.shopify.com/s/files/1/0440/5175/9269/files/ramayana_story_book_in_english.pdf
    • https://cdn.shopify.com/s/files/1/0427/9291/1007/files/63872750275.pdf
    • https://cdn.shopify.com/s/files/1/0449/7873/3224/files/beginner_ab_workout.pdf
    • https://cdn.shopify.com/s/files/1/0464/6056/7704/files/38761911875.pdf
    • https://cdn.shopify.com/s/files/1/0429/3168/3484/files/dizonojajejabonape.pdf
    • https://cdn.shopify.com/s/files/1/0432/6952/1568/files/arnold_clarinet_sonatina.pdf
    • https://cdn.shopify.com/s/files/1/0429/6127/2995/files/list_of_publications_in_dissertation_latex.pdf
    • https://cdn.shopify.com/s/files/1/0432/5860/9819/files/14282429295.pdf
    • https://cdn.shopify.com/s/files/1/0433/1126/7990/files/draft_compromise_agreement_template.pdf
    • https://cdn.shopify.com/s/files/1/0430/2661/2378/files/44910877965.pdf
    • https://cdn.shopify.com/s/files/1/0433/6861/1996/files/ruvovulakap.pdf
    • https://cdn.shopify.com/s/files/1/0433/7205/2643/files/17888570991.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006791.bin
d285c64f45dc7ac243fd9eb13e7e839576554e567eb476ef5b50310455ab9f16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6791 4412 bytes
font_01_sfnt_off000076a0.bin
7fd6398d4df6a47f3c67b4d6abcdfc04f6667edf42f765f1270adc157e72d586		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76A0 10492 bytes
font_02_sfnt_off00009a4e.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A4E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.