Malicious PDF — malware analysis report

Static analysis result for SHA-256 83118a59a82b1cd5…

MALICIOUS

PDF

64.7 KB Created: 2020-08-28 11:44:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 724c3ffea3805ae30cae8e56442f2ab2 SHA-1: 4a337fadd731a5394df744c35cf4930e153ca52e SHA-256: 83118a59a82b1cd504fc9c2aa0aef241fd863471b30fd73fdfbac0d3371bbe9b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. This URL is embedded within the document body, suggesting the primary intent is to lure the user into clicking it. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many hosted on Shopify, potentially to obscure the malicious destination. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=vitotronic+200+notice+d%2527utilisation
    • http://files.blog.millerlab.ca/uploads/1/3/0/8/130813645/kidok-morige.pdf
    • https://cdn.shopify.com/s/files/1/0429/8863/4266/files/85132065627.pdf
    • https://cdn.shopify.com/s/files/1/0428/0388/8287/files/16822493500.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kekesapenogetiru.pdf
    • https://cdn.shopify.com/s/files/1/0437/9040/1687/files/root_android_linux_mint.pdf
    • https://cdn.shopify.com/s/files/1/0437/4151/1834/files/74784551842.pdf
    • https://cdn.shopify.com/s/files/1/0431/1692/0996/files/91804627166.pdf
    • https://cdn.shopify.com/s/files/1/0436/7872/8345/files/ms_sql_server_2014_for_mac.pdf
    • https://cdn.shopify.com/s/files/1/0429/0212/6751/files/infix_to_postfix_converter_java.pdf
    • https://cdn.shopify.com/s/files/1/0430/8225/2442/files/jevuraz.pdf
    • https://cdn.shopify.com/s/files/1/0433/6658/0382/files/nemazaradazaxefesufulejew.pdf
    • https://cdn.shopify.com/s/files/1/0436/0765/4563/files/business_card_sample.pdf
    • https://cdn.shopify.com/s/files/1/0429/6510/6847/files/93876814476.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b776.bin
6cde62d76f1577b9e51e0acc5ceace493195fa1766065d5876ea61f99c73d649		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB776 5204 bytes
font_01_sfnt_off0000c933.bin
db6a73ff123a02a1fa7018c5190d05ec82f21e5280727757811e38e4a1b785de		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC933 14264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.