Malicious PDF — malware analysis report

Static analysis result for SHA-256 910193b27e09f2bf…

MALICIOUS

PDF

48.9 KB Created: 2020-08-30 03:00:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 90b60786447529d89ebfc5d0b2b4def5 SHA-1: c4b0972f270044ea2f16be34827181810ad56dd5 SHA-256: 910193b27e09f2bf25d9e6fa06a1a3fdd6a417706efeeb14f42ae3608a6b0958
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=snes+castlevania+dracula+x'. It also exhibits characteristics of a PDF link farm, embedding numerous external links, with the first being 'https://cdn.shopify.com/s/files/1/0436/5382/4677/files/dipifisubafirez.pdf'. The document body, though heavily obfuscated, contains the same redirector URL. This suggests the primary goal is to redirect the user to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=snes+castlevania+dracula+x
    • https://cdn.shopify.com/s/files/1/0436/5382/4677/files/dipifisubafirez.pdf
    • https://cdn.shopify.com/s/files/1/0436/6172/1765/files/33625797351.pdf
    • https://cdn.shopify.com/s/files/1/0437/7827/7527/files/71905812771.pdf
    • https://cdn.shopify.com/s/files/1/0432/2459/6642/files/31924432959.pdf
    • https://cdn.shopify.com/s/files/1/0433/7614/8638/files/lalel.pdf
    • https://static.usrfiles.com/ugd/ddb60a_e4fbe8979b884e8a9f5617199732be94.pdf
    • https://static.usrfiles.com/ugd/599f1c_210befb2cc884978ba30aa2aba44e1b7.pdf
    • https://static.usrfiles.com/ugd/b8c837_4dec8d5a7b7643518844e8243d688872.pdf
    • https://static.usrfiles.com/ugd/097bd5_080156649e1d42569dcc7b5c3478cb55.pdf
    • https://static.usrfiles.com/ugd/b8c837_fe9d84e07ed642f8838e394471952241.pdf
    • https://static.usrfiles.com/ugd/ddb60a_c126cf25edc84be29a8ebc10ac3cc9fb.pdf
    • https://static.usrfiles.com/ugd/6a7407_72a1d9a6f27f4a26927e2a4e288b7b0e.pdf
    • https://static.usrfiles.com/ugd/b8c837_ca9457cc5666422eb9b1e19050ef0c05.pdf
    • https://static.usrfiles.com/ugd/b8c837_4bc6a584438644838b5e22bc81baf359.pdf
    • https://static.usrfiles.com/ugd/b8c837_e0ec9d01b5224ac2b0db595c21313d7c.pdf
    • https://static.usrfiles.com/ugd/97368a_24f4a5240cd140a6a14961d4b2e0d82f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008025.bin
b1ca8d06074a953123c7d75ad65cf0e97cb79e96bef36e27515cb5a2a52eead9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8025 5164 bytes
font_01_sfnt_off000091ba.bin
7ac3ea98775e8c37f4d5f3e25a2cc0ae186f3b8a74ddbcaa83618e31f71a6ef0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x91BA 10824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.