Malicious PDF — malware analysis report

Static analysis result for SHA-256 90f067935361aef6…

MALICIOUS

PDF

42.7 KB Created: 2020-08-29 19:39:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ca720c7dfe891aa38854d5affc81db5 SHA-1: 2260815a91282855a7dd72c5a4fc5525c3a05f79 SHA-256: 90f067935361aef6126a716ea2c83b37800e8fbbe107cc9009cfb3698bdffc92
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic match for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to malicious infrastructure. The document body, though heavily obfuscated, contains the string 'Jannat songs download' and the malicious URL 'https://ttraff.ru/wix?keyword=jannat+songs+download'. This suggests the document's purpose is to trick users into visiting the malicious URL, likely for further exploitation or credential harvesting.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=jannat+songs+download
    • https://cdn.shopify.com/s/files/1/0433/2666/8952/files/30936514361.pdf
    • https://cdn.shopify.com/s/files/1/0455/7009/7317/files/afspa_act.pdf
    • https://cdn.shopify.com/s/files/1/0431/6954/6395/files/tesibiliwagoxujomir.pdf
    • https://cdn.shopify.com/s/files/1/0435/2252/3288/files/powerman_5000_bombshell.pdf
    • https://static.usrfiles.com/ugd/b8c837_da5adb8e71fd40859d7005dd63a525a9.pdf
    • https://static.usrfiles.com/ugd/b65acf_7ace611da7864c11b6d3fc1df7853c16.pdf
    • https://static.usrfiles.com/ugd/cbdbb6_d71e9b1c91474af38074cddd1f67a0ad.pdf
    • https://static.usrfiles.com/ugd/b8c837_bec8430e06fd4bc1a8199ad3303ab3a3.pdf
    • https://static.usrfiles.com/ugd/b8c837_e8a828d5db344b34b4a16364c9714aa7.pdf
    • https://cdn.shopify.com/s/files/1/0433/4823/0297/files/abhijit_banerjee_nobel_economics.pdf
    • https://cdn.shopify.com/s/files/1/0431/4837/8280/files/bsc_marksheet_format.pdf
    • https://cdn.shopify.com/s/files/1/0432/0067/5995/files/lorukiperuwobafat.pdf
    • https://cdn.shopify.com/s/files/1/0428/1679/8883/files/63315717884.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0431/6954/6395/files/tesibiliwagoxuj

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005dd1.bin
7951c2bac3723564de126171076d4f88085e7f9c29e55a4e91a3dcb3c6cd1542		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DD1 4980 bytes
font_01_sfnt_off00006ee2.bin
0be95c7064013ff2ca9dd930f5884b2001f62f1fed765995fb80439ec6fd4873		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EE2 15528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.