Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c80f94955d0717c…

MALICIOUS

PDF

95.8 KB Created: 2020-08-28 21:42:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 37a13af3bf545f8c94617b59ae99f8cd SHA-1: 2e9989d356ab8981b9b87c6cdff5cd6aa353bc00 SHA-256: 8c80f94955d0717c69a207477df169a0cb67208f191de03b9decbdbc83cdb6bc
168 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains numerous links, many pointing to Shopify, but one critical link redirects to a known malicious domain, ttraff.com. The presence of a 'download button' lure and password instructions suggests a social engineering attempt to trick the user into clicking the malicious link. The document body, though heavily obfuscated, contains the malicious URL. The PDF_MALICIOUS_REDIRECTOR_LINK heuristic confirms the malicious nature of the ttraff.com URL.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=undelete+plus+licence+key
    • https://cdn.shopify.com/s/files/1/0430/9372/1255/files/rubank_elementary_method_clarinet_pd.pdf
    • https://cdn.shopify.com/s/files/1/0434/0357/5454/files/68125884349.pdf
    • https://cdn.shopify.com/s/files/1/0440/0830/8886/files/opposite_of_shallow.pdf
    • https://cdn.shopify.com/s/files/1/0430/8621/7365/files/95213665876.pdf
    • https://cdn.shopify.com/s/files/1/0431/3019/2039/files/wototewopejijibivexozav.pdf
    • https://cdn.shopify.com/s/files/1/0430/8962/5250/files/wagidawi.pdf
    • https://cdn.shopify.com/s/files/1/0428/8669/3023/files/womolipulujoful.pdf
    • https://cdn.shopify.com/s/files/1/0438/9352/2587/files/mipiriwiti.pdf
    • https://cdn.shopify.com/s/files/1/0433/3695/8106/files/guwogexixokizuxuzaw.pdf
    • https://cdn.shopify.com/s/files/1/0430/0609/9605/files/25104999501.pdf
    • https://static.usrfiles.com/ugd/b8c837_15e92f99d0184713afe8be59e0e5d453.pdf
    • https://static.usrfiles.com/ugd/b8c837_a3c3082f7c82491f8803818f1078a616.pdf
    • https://static.usrfiles.com/ugd/b8c837_e7dec993685842a59996048e02d31b77.pdf
    • https://static.usrfiles.com/ugd/b8c837_9dd735709d854609871dd0341f59683b.pdf
    • https://static.usrfiles.com/ugd/b8c837_854c2fd46a664c888cd916e048a33000.pdf
    • https://static.usrfiles.com/ugd/b8c837_9484169f27cb4bb9ba43388afdc33d1b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011c59.bin
cd35207f686b69b0ad9a7e43ae473ba3f23a5f93486868f1168de72ce9ff729c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11C59 4916 bytes
font_01_sfnt_off00012d29.bin
a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D29 1800 bytes
font_02_sfnt_off000135b6.bin
37a97f05d69161188a09dd84af0f09cf4c824a8e4f1be91757f2aa9405990f5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x135B6 20236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.