Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c6f7f27e1553f5b…

MALICIOUS

PDF

66.3 KB Created: 2020-08-27 21:57:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 49335d011ec4dfa86b3ab49b997f432d SHA-1: d2ff5f3e160fe50c7adfb521fc7dfd89c7acddcb SHA-256: 8c6f7f27e1553f5bb7bc293d2bcf5e111e602c0d1574d1dd5b756113a6aa4efb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com'. The document body, though heavily obfuscated, also contains this URL, suggesting it is the primary lure. The PDF also contains a large number of embedded links to Shopify domains, likely an attempt to blend in with benign content, but one of these is also flagged as a redirector. No scripts were extracted, and the PDF structure itself does not indicate specific exploitation, but the redirector is a strong indicator of malicious intent, likely for phishing or malware delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=dark+pact+poe+build
    • http://muwareseb.outreachministrieschurch.com/uploads/1/3/1/4/131453062/7aa24947.pdf
    • https://cdn.shopify.com/s/files/1/0437/3381/1351/files/11183876979.pdf
    • https://cdn.shopify.com/s/files/1/0435/9041/8591/files/lobadagexu.pdf
    • https://cdn.shopify.com/s/files/1/0431/2858/6402/files/88033839841.pdf
    • https://cdn.shopify.com/s/files/1/0434/1540/4702/files/radula.pdf
    • https://cdn.shopify.com/s/files/1/0428/9386/9212/files/inna_s_mantra_set_dungeon_guide.pdf
    • https://cdn.shopify.com/s/files/1/0431/3785/9741/files/auditing_and_assurance_services_messier.pdf
    • https://cdn.shopify.com/s/files/1/0438/1730/4226/files/ccps_books.pdf
    • https://cdn.shopify.com/s/files/1/0433/5599/6328/files/acrobat_reader_edit_online.pdf
    • https://cdn.shopify.com/s/files/1/0430/9804/6621/files/moxozadabigen.pdf
    • https://cdn.shopify.com/s/files/1/0434/8048/1958/files/employees_provident_fund_board_annual_report.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000af0b.bin
fc8a5a20bc12443cfb2b999e44d38fbd211b8d7a114b2444c5fdf99532535e21		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF0B 4868 bytes
font_01_sfnt_off0000bfa6.bin
724a973edfc156824780b4d679b5d6c3bde8aa01a3e80ed6a348f56755877ef5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBFA6 14840 bytes
font_02_sfnt_off0000ee39.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE39 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.