Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e8e072f6ca76c3f…

MALICIOUS

PDF

110.7 KB Created: 2020-08-09 18:20:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fbedcc4d5f038750cbfee7baa73e7ec6 SHA-1: 89c32a7a222c5195e1ab2392aba9a60a2b85b382 SHA-256: 8e8e072f6ca76c3f7d338cf7da07d3b1a7600d125155d47077a3d060948abe8e
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF file contains multiple heuristic firings indicating malicious intent. It includes a critical PDF_MALICIOUS_REDIRECTOR_LINK, pointing to 'https://ttraff.com/pify?keyword=berger+paints+annual+report+2020+pdf', and a PDF_SEO_LINK_FARM with numerous links hosted on cdn.shopify.com. The SE_BROWSER_INSTALL_LURE heuristic suggests social engineering to trick the user into installing something. The document body, though heavily obfuscated, contains the redirect URL, reinforcing the lure.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=berger+paints+annual+report+2020+pdf
    • http://files.thecrusadesports.com/uploads/1/3/1/3/131380107/1a8ba9e.pdf
    • http://files.amandathompsonphoto.com/uploads/1/3/1/8/131856476/1290275.pdf
    • http://files.ucpgreatchefs.com/uploads/1/3/1/6/131606392/27c8033d.pdf
    • http://files.mrsryder.com/uploads/1/3/0/7/130775862/441462.pdf
    • http://kigiwaka.dhammaforeveryone.com/uploads/1/3/1/4/131454012/najuxo-kuwepur-dufeje.pdf
    • https://cdn.shopify.com/s/files/1/0443/1210/1020/files/catalogo_avon_campagna_10_2020.pdf
    • https://cdn.shopify.com/s/files/1/0431/1423/4017/files/kiwowejudovakav.pdf
    • https://cdn.shopify.com/s/files/1/0432/8072/8224/files/69205466064.pdf
    • https://cdn.shopify.com/s/files/1/0447/3847/8229/files/the_once_and_future_king.pdf
    • https://cdn.shopify.com/s/files/1/0436/5382/4677/files/40445003388.pdf
    • https://cdn.shopify.com/s/files/1/0435/6092/7393/files/92470920978.pdf
    • https://cdn.shopify.com/s/files/1/0433/4632/9750/files/29032512031.pdf
    • https://cdn.shopify.com/s/files/1/0437/2617/6407/files/puda_building_bye_laws_2020.pdf
    • https://cdn.shopify.com/s/files/1/0429/4138/2812/files/6316203536.pdf
    • https://cdn.shopify.com/s/files/1/0437/4993/3208/files/57097989416.pdf
    • https://cdn.shopify.com/s/files/1/0439/2475/0491/files/45964293705.pdf
    • https://cdn.shopify.com/s/files/1/0435/9972/4702/files/dikuwi.pdf
    • https://cdn.shopify.com/s/files/1/0431/4352/8609/files/18456917296.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015edb.bin
80e50e5b2d8559183ea70e222eac4781fe6fedaac74e5ecff2e3fe42c8b808e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15EDB 5532 bytes
font_01_sfnt_off000171bc.bin
117abe74ed5099cecf0729996e2d71b0cbc8ad57f08fb50307b261ca16c3cc90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x171BC 11144 bytes
font_02_sfnt_off000197ca.bin
b09879be15c6eb2246ae7b48c1c275502bdacda3194b2e7a150da035b49823e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x197CA 16068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.