Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c5035eefbfc2faf…

MALICIOUS

PDF

46.4 KB Created: 2020-08-23 17:42:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a44d40d7d96a95d11d3ba5f2fa014f3a SHA-1: 3ff63eda76f9d6f88dee4e5cada1e446dfa069cc SHA-256: 8c5035eefbfc2faf21fde4424687a1464370d87244232047e3d1e1c9c8429ff3
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to `https://ttraff.cc/pify?keyword=fitness+instructor+guidelines`. Additionally, it exhibits a PDF link farm, with many links pointing to Shopify-hosted PDFs, including `https://cdn.shopify.com/s/files/1/0430/6996/4439/files/zilesarubi.pdf`. The presence of a visual download button lure further supports the malicious intent of redirecting users to potentially harmful content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=fitness+instructor+guidelines
    • http://files.adsnartspiritwear.com/uploads/1/3/1/1/131164275/suvovob_tulanojiloforud.pdf
    • https://cdn.shopify.com/s/files/1/0430/6996/4439/files/zilesarubi.pdf
    • https://cdn.shopify.com/s/files/1/0432/5448/1054/files/chicken_bruschetta_sheet_pan_dinner.pdf
    • https://cdn.shopify.com/s/files/1/0432/0441/1556/files/43176243284.pdf
    • https://cdn.shopify.com/s/files/1/0428/4357/0343/files/74075551229.pdf
    • https://cdn.shopify.com/s/files/1/0436/0273/9362/files/34713132078.pdf
    • https://cdn.shopify.com/s/files/1/0432/1044/0862/files/49859197796.pdf
    • https://cdn.shopify.com/s/files/1/0431/5417/8216/files/rosuparekabi.pdf
    • https://cdn.shopify.com/s/files/1/0437/6992/1690/files/74028414366.pdf
    • https://cdn.shopify.com/s/files/1/0437/4691/8551/files/social_factors_affecting_consumer_buying_behaviour.pdf
    • https://cdn.shopify.com/s/files/1/0434/8254/6341/files/tomaso_albinoni_adagio.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000787d.bin
c752a22569731c61938a9d9407152dcd368697426389326175977af2f7baf931		 pdf-font-stream PDF embedded font (sfnt) at offset 0x787D 4852 bytes
font_01_sfnt_off0000890a.bin
53193a2947bffb6b12492500795e380408c7fee86197251a7e33a89c51521fff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x890A 10608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.