Malicious PDF — malware analysis report

Static analysis result for SHA-256 7cea19b7db2881c4…

MALICIOUS

PDF

75.7 KB Created: 2020-09-17 06:46:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3dc34c950aa1fcd610d4fd0b07b4fa96 SHA-1: 6fe1a9d82422f1480b42fbe25a474e93a001ab2f SHA-256: 7cea19b7db2881c4546c9c3188f36588dd5632c923eaad8a41f9af751a4fce3f
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.003 Command and Scripting Interpreter: Windows Command Shell

The PDF file contains a heuristic firing for a malicious redirector link pointing to 'https://ttraff.me/wix?keyword=boot+system+flash+switch+all'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, including one to 'https://cdn.shopify.com/s/files/1/0429/5376/9126/files/57861627385.pdf'. The document also contains a lure to execute commands via the clipboard, suggesting an attempt to trick the user into running malicious code. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=boot+system+flash+switch+all
    • https://cdn.shopify.com/s/files/1/0429/5376/9126/files/57861627385.pdf
    • https://cdn.shopify.com/s/files/1/0433/1313/5774/files/honeywell_chronotherm_iv_plus_manual_reset.pdf
    • https://cdn.shopify.com/s/files/1/0435/2763/5096/files/tuselonilotut.pdf
    • https://cdn.shopify.com/s/files/1/0457/5651/4460/files/22754212274.pdf
    • https://cdn.shopify.com/s/files/1/0433/2666/8952/files/jugizemuxonojajixixifadek.pdf
    • https://123f484c-d8fe-42fc-b006-f89ef89e22e5.filesusr.com/ugd/2c76f4_df675379d4424e4883dfa86a422eae7e.pdf?index=true
    • https://d81368f9-8d24-4254-8042-6fc9c1269551.filesusr.com/ugd/77941b_afd48d4a5084475db025b7c51c3849f3.pdf?index=true
    • https://ce8701bd-5cb5-49bd-834c-09177818c20d.filesusr.com/ugd/65e777_2459c4d7630540f79c59d63837942272.pdf?index=true
    • https://5c16e2e5-fa19-4161-a015-e3162c596ed7.filesusr.com/ugd/33a2e4_190ba107941447d4a5bdf70a82892217.pdf?index=true
    • https://4cb8b184-0915-4fc7-833b-7d56badacda4.filesusr.com/ugd/b0c717_6a58cfb225f74b23a563d2a9792763fa.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0433/9299/1399/files/kevakawidituzinofod.pdf
    • https://cdn.shopify.com/s/files/1/0432/8924/7894/files/24253066982.pdf
    • https://cdn.shopify.com/s/files/1/0431/6810/4602/files/ranokimo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d4d2.bin
85b692c1c636aed9ab1240d2a7361179fdd6c0849396a06064984f922e967b4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD4D2 2828 bytes
font_01_sfnt_off0000decc.bin
0cfdf47bb5b43a035c3d4ccbc5658950ce607ea4eae1a49bc3a3df5b6a7dbf5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDECC 4952 bytes
font_02_sfnt_off0000efbb.bin
ea5155cfb068acab88cb41bca1eb44a4f88904dd50e5c93d54747c709a7e7084		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFBB 10308 bytes
font_03_sfnt_off000112fc.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x112FC 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.