Malicious PDF — malware analysis report

Static analysis result for SHA-256 874438aecf7b746a…

MALICIOUS

PDF

53.4 KB Created: 2020-08-24 00:57:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6e5bf6771841c434028885e4a8284a7c SHA-1: 183a7af899aebcf472bb07b05481b343ec91575b SHA-256: 874438aecf7b746a33bbc1673cc1e9bb21047143bf0a52e05356c121d6e2ef78
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is likely used to obscure the final destination of the payload. The document body, though heavily obfuscated, contains the same URL, suggesting it is the primary lure. The presence of a large number of external PDF links also indicates a link farm, a common tactic for SEO poisoning to drive traffic to malicious sites. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=puzzle+and+dragons+japanese+apk
    • http://files.watersportsrep.com/uploads/1/3/1/6/131637081/kurel-fumokoxi.pdf
    • https://cdn.shopify.com/s/files/1/0434/9073/8328/files/18054370565.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/4274895189.pdf
    • https://cdn.shopify.com/s/files/1/0429/0494/4807/files/vaniwen.pdf
    • https://cdn.shopify.com/s/files/1/0433/7631/2478/files/94079579970.pdf
    • https://cdn.shopify.com/s/files/1/0431/0859/7927/files/fallout_4_ammo_codes.pdf
    • https://cdn.shopify.com/s/files/1/0435/6295/8997/files/83292759020.pdf
    • https://cdn.shopify.com/s/files/1/0432/6067/4198/files/46853152031.pdf
    • https://cdn.shopify.com/s/files/1/0439/6836/4702/files/zizutusikapodeminifituwiv.pdf
    • https://cdn.shopify.com/s/files/1/0434/7500/9698/files/35437269264.pdf
    • https://cdn.shopify.com/s/files/1/0435/1941/0335/files/pesovegobomatipina.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006007.bin
f8557305eec453fa9d1363d9a5fd5cf0b2b05ff3ee09f2e6a1ad28b759e5f8af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6007 3748 bytes
font_01_sfnt_off00006d3b.bin
5d6d1d0cb593a7be0d90f9beaaef82ee9c420d637a798e9d58cafd6dafaa9c1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D3B 5072 bytes
font_02_sfnt_off00007e91.bin
8ff04fe7e2353c638014552b497499a3ebe24b8dee506fc611869ce05ad0803a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E91 10504 bytes
font_03_sfnt_off0000a2d0.bin
31aa257675234f953cb39254c73a0c002637764ec2691c470e0912636c3685cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2D0 16204 bytes
font_04_sfnt_off0000b7fe.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB7FE 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.