Malicious PDF — malware analysis report

Static analysis result for SHA-256 83dcabffb17f8267…

MALICIOUS

PDF

117.4 KB Created: 2020-08-17 00:38:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 44afc415e8a81eec4a9ab2e9b3747317 SHA-1: cfda05ad674857fdd4174fe99e8c06cd28414bf2 SHA-256: 83dcabffb17f8267c4982cc28750c8f09d6094d126b3b85b5dd861527ed77194
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/pify?keyword=c.+a.+t+uniforms+philippines'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, with 'https://cdn.shopify.com/s/files/1/0440/7207/5414/files/raxisu.pdf' being the first identified. The document body, though heavily obfuscated, contains the same URL as the malicious redirector. This suggests the primary intent is to direct users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=c.+a.+t+uniforms+philippines
    • http://files.thehqha.org/uploads/1/3/2/6/132681969/giwesozuvowar.pdf
    • http://files.symmetry-careers.com/uploads/1/3/1/4/131454699/razulil.pdf
    • http://files.sierralovestowell.com/uploads/1/3/1/0/131071298/1f05af97.pdf
    • http://files.roseebudsllc.com/uploads/1/3/2/7/132711961/najivefawipela_goruzat.pdf
    • https://cdn.shopify.com/s/files/1/0440/7207/5414/files/raxisu.pdf
    • https://cdn.shopify.com/s/files/1/0433/4403/5993/files/routing_algorithms_in_computer_networks_notes.pdf
    • https://cdn.shopify.com/s/files/1/0435/8589/6609/files/seus_shaders_1._7._10.pdf
    • https://cdn.shopify.com/s/files/1/0429/1405/4300/files/ashrae_handbook_2020_free.pdf
    • https://cdn.shopify.com/s/files/1/0430/7176/6690/files/nonadulidozumadujome.pdf
    • https://cdn.shopify.com/s/files/1/0434/3057/6285/files/timpanometria_de_alta_frecuencia.pdf
    • https://cdn.shopify.com/s/files/1/0433/7880/2846/files/cancer_de_prostata_imss.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/58085676994.pdf
    • https://cdn.shopify.com/s/files/1/0440/4117/5190/files/los_riesgos_psicosociales_y_el_estrs_en_el_trabajo.pdf
    • https://cdn.shopify.com/s/files/1/0433/3204/2920/files/dasixux.pdf
    • https://cdn.shopify.com/s/files/1/0429/9004/3287/files/89764259895.pdf
    • https://cdn.shopify.com/s/files/1/0430/6888/3097/files/english_thesaurus_dictionary.pdf
    • https://cdn.shopify.com/s/files/1/0433/3155/1400/files/expanding_tactics_for_listening_3rd_edition.pdf
    • https://cdn.shopify.com/s/files/1/0437/4659/0872/files/ascii_code_table.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0001891d.bin
2d12ecae43cadaf4db8ed8b0674eb499b75cc4aad98a0fdbd9ffca2af1ec9a66		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1891D 9016 bytes
font_00_sfnt_off00016044.bin
3a77c431143dc4067c5b8ebdb22d874bdbeeb5c2482ce2bd23cdd4a1aca87083		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16044 6888 bytes
font_01_sfnt_off00017803.bin
a345e5c43f75341842fd38977b235e813b4c59d4b5971b5c916d7f5150adc3f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17803 5080 bytes
font_03_sfnt_off0001a268.bin
d280a237497424d0c0c3a0f9f2d874dbb3149b40aae1fed7d7790afee14fa701		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A268 10780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.