Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f7723c58e4671e9…

MALICIOUS

PDF

52.5 KB Created: 2020-07-31 23:39:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6f938236e94022f76b3c8dc7975f867b SHA-1: 249615eaea2072dad81eaea5e153b4e1e1b652b0 SHA-256: 7f7723c58e4671e99d468db5a2f8eea74ecac0826e5460a14f871d93de68bfe9
220 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File T1059.003 Command and Scripting Interpreter: Windows Command Shell T1059.001 Command and Scripting Interpreter: PowerShell

The PDF document contains a lure related to 'upload to github from terminal' and explicitly requests recovery secrets or private keys, indicating a phishing attempt. It also contains a mass external PDF link farm, with the primary redirector URL being https://ttraff.cc/pify?keyword=upload+to+github+from+terminal. The document body, though heavily obfuscated, contains embedded URLs that likely lead to further malicious content or phishing pages. The presence of multiple heuristics related to malicious links and lures strongly suggests a social engineering attack.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=upload+to+github+from+terminal
    • http://files.theweddingcentrenuneaton.co.uk/uploads/1/3/1/6/131606758/19bfa5edfcf2.pdf
    • http://files.youthleaderhubs.com/uploads/1/3/0/7/130775598/selonojojob_powan.pdf
    • http://files.lancasterthundertix.com/uploads/1/3/1/4/131407406/57d00c3.pdf
    • https://cdn.shopify.com/s/files/1/0437/8502/7746/files/pafebirujaxejoxowotovu.pdf
    • https://cdn.shopify.com/s/files/1/0438/8087/4139/files/56452938263.pdf
    • https://cdn.shopify.com/s/files/1/0430/2353/2195/files/kowes.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/40035930655.pdf
    • https://cdn.shopify.com/s/files/1/0438/9643/8936/files/98695890423.pdf
    • https://cdn.shopify.com/s/files/1/0433/5144/1562/files/17182487127.pdf
    • https://cdn.shopify.com/s/files/1/0429/4580/6503/files/54546309418.pdf
    • https://cdn.shopify.com/s/files/1/0433/9515/4070/files/juwevusaron.pdf
    • https://cdn.shopify.com/s/files/1/0440/9524/2392/files/jikuzetadekomo.pdf
    • https://cdn.shopify.com/s/files/1/0430/2045/1997/files/18869575725.pdf
    • https://cdn.shopify.com/s/files/1/0437/8093/1733/files/29826797886.pdf
    • https://cdn.shopify.com/s/files/1/0430/2068/1369/files/89211043099.pdf
    • https://cdn.shopify.com/s/files/1/0431/7229/8918/files/93583993991.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/semigo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064ea.bin
07800b5ca18339856a4a56f8d46b9ebec54289af24312eae4e51934294175e1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64EA 5408 bytes
font_01_sfnt_off0000771b.bin
6aa82955e117d44a43ee3f00d38721e5a856e0beaa5e9be21e4b15ad85f5f80c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x771B 3120 bytes
font_02_sfnt_off000083a0.bin
45ebed49cd4cc48b195192c3f823e6fc556e816b69df7ff0b85c95412ee6def8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83A0 13684 bytes
font_03_sfnt_off0000afac.bin
62a91fb32920f6e8cc04f0b1e834142448e73e4a31e16512d2a7fd751ba0d286		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAFAC 16084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.