Malicious PDF — malware analysis report

Static analysis result for SHA-256 8075f16953db32c3…

MALICIOUS

PDF

53.6 KB Created: 2020-07-30 03:33:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82a85e8b20702946f4d5623788ae0a32 SHA-1: c5a92addc1fe2a7a665a1fc67fccc73e709564ae SHA-256: 8075f16953db32c38cdb9abe5e1f2000d6c192f242fad3f4451929fdd35eba84
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on Shopify. One of the primary links redirects to a known malicious domain (ttraff.ru). This suggests a social engineering attack aimed at luring users to malicious sites. The document body is heavily obfuscated and contains metadata indicating it was generated by wkhtmltopdf, a tool often used to create malicious PDFs.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=canon+ipf770+brochure+pdf
    • http://files.herrimanhighchoirs.org/uploads/1/3/1/4/131438459/satesizakepofixajo.pdf
    • http://files.apple-sac.com/uploads/1/3/1/8/131871705/bafab784135.pdf
    • http://files.empirejeepclub.com/uploads/1/3/0/7/130740367/wiruvigawumatebugiru.pdf
    • https://cdn.shopify.com/s/files/1/0440/2806/7990/files/280620520.pdf
    • https://cdn.shopify.com/s/files/1/0429/2093/5590/files/zilatusepozifipelawus.pdf
    • https://cdn.shopify.com/s/files/1/0439/9307/1774/files/gowik.pdf
    • https://cdn.shopify.com/s/files/1/0431/4031/7350/files/75977300296.pdf
    • https://cdn.shopify.com/s/files/1/0430/9411/4465/files/duzonikunevamabizewakaxe.pdf
    • https://cdn.shopify.com/s/files/1/0435/3314/0127/files/84899801692.pdf
    • https://cdn.shopify.com/s/files/1/0433/1234/9334/files/bowojazepedesawixebi.pdf
    • https://cdn.shopify.com/s/files/1/0434/6285/2761/files/potiwolisutamanenajipa.pdf
    • https://cdn.shopify.com/s/files/1/0427/4677/3660/files/60921965405.pdf
    • https://cdn.shopify.com/s/files/1/0436/1935/2740/files/bozeruged.pdf
    • https://cdn.shopify.com/s/files/1/0432/0909/7384/files/26982729458.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008b71.bin
5fe77144b625765f09a0742450d3edc4aca669720e42c5e23f64f1e03c7abaa2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B71 5220 bytes
font_01_sfnt_off00009d1c.bin
4b4165b78f748807d0ad7fe9a73be3200e48dc343061faeee40c82be1d0d79e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D1C 13896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.