Malicious PDF — malware analysis report

Static analysis result for SHA-256 90bf39139114d2a4…

MALICIOUS

PDF

47.0 KB Created: 2020-08-09 20:31:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7b94aec123334ed16e0113094ca29e7c SHA-1: 408e3b16fabcbd46e5ef75571cf60cee758a49b3 SHA-256: 90bf39139114d2a4864a8a37cd8f900cacb8c519738cfb20007ecb62e0b926e9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating it links to a known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL 'https://ttraff.cc/pify?keyword=power+amp+design+pdf', which is likely intended to lead the user to malicious content. The PDF also contains a mass external PDF link farm, with the first URL pointing to a Shopify domain, suggesting an attempt to obscure the true destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=power+amp+design+pdf
    • http://files.westfielddentalpa.com/uploads/1/3/0/7/130775942/bavef_kezujuwusuk_javexolizepun.pdf
    • http://files.vanvliet-kassenbouw.nl/uploads/1/3/1/4/131483097/mosozojejo_zazeletexo.pdf
    • http://files.ractproductions.com/uploads/1/3/1/3/131398246/jaruzesip-xufitosopujo-fumuzozeximut-lutikisivuwusa.pdf
    • https://cdn.shopify.com/s/files/1/0452/3904/2205/files/33685447378.pdf
    • https://cdn.shopify.com/s/files/1/0434/8765/8141/files/artificial_intelligence_seminar_report_download.pdf
    • https://cdn.shopify.com/s/files/1/0435/2652/0987/files/49195535505.pdf
    • https://cdn.shopify.com/s/files/1/0428/3393/6547/files/31930986102.pdf
    • https://cdn.shopify.com/s/files/1/0429/2067/3433/files/request_letter_for_job.pdf
    • https://cdn.shopify.com/s/files/1/0429/2401/5783/files/soxajimuza.pdf
    • https://cdn.shopify.com/s/files/1/0435/2737/2955/files/2256175470.pdf
    • https://cdn.shopify.com/s/files/1/0430/6662/2105/files/10586674440.pdf
    • https://cdn.shopify.com/s/files/1/0433/7447/7473/files/wilovogubufusipaxek.pdf
    • https://cdn.shopify.com/s/files/1/0431/4837/8274/files/tilidomoritasoru.pdf
    • https://cdn.shopify.com/s/files/1/0433/2103/2859/files/jupetunik.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007946.bin
883684f1db24c8e494d5395da9bb9f2cbd6b22ee3bf7b710105b33541ab4d537		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7946 5420 bytes
font_01_sfnt_off00008bbb.bin
b9f46959fcfbafb14f24fb1f928933f8a6e02e14bd210d4cbe5a8c66d7c10337		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BBB 10380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.