Malicious PDF — malware analysis report

Static analysis result for SHA-256 924425485f748ade…

MALICIOUS

PDF

40.8 KB Created: 2020-08-21 01:20:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7e67f9fd91050b610fa71d0b6a2441c2 SHA-1: 41b4d33fb1e9b64160cdec6719eef2e334c20c4d SHA-256: 924425485f748ade7cf731029559d25e5c522713144efa75d3cea96dd61aabce
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to Shopify domains hosting what appear to be software download PDFs. One critical heuristic identified a link to a known malicious redirector, ttraff.com, which is used to obscure the final destination. The document body contains the URL 'https://ttraff.com/pify?keyword=barney+stinson+bro+code', suggesting a lure related to the 'bro code' and potentially free software. The presence of multiple unknown and benign-looking Shopify links suggests a link farm designed to attract users searching for downloads, with the malicious redirector being the actual payload delivery mechanism.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=barney+stinson+bro+code
    • http://mogibaziw.estesparkeventscomplex.com/uploads/1/3/0/7/130739553/siponolalunawameb.pdf
    • http://nodageb.dance4him.org/uploads/1/3/1/4/131454106/voziju_suteze_romukixegaku.pdf
    • http://files.darbodus.com.au/uploads/1/3/0/8/130815437/divejigajer.pdf
    • https://cdn.shopify.com/s/files/1/0430/3152/7577/files/purevpn_free_with_crack.pdf
    • https://cdn.shopify.com/s/files/1/0437/1460/9305/files/android_root_tool_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/8884/6753/files/77862945268.pdf
    • https://cdn.shopify.com/s/files/1/0430/7864/7957/files/malayalam_bible_quiz_genesis.pdf
    • https://cdn.shopify.com/s/files/1/0434/3015/0300/files/85451714045.pdf
    • https://cdn.shopify.com/s/files/1/0429/9125/5713/files/wipozugowevajat.pdf
    • https://cdn.shopify.com/s/files/1/0432/0978/5512/files/watovazejiravoduxaligat.pdf
    • https://cdn.shopify.com/s/files/1/0438/2497/1936/files/that_irresistible_poison_alessandra_hazard_espaol.pdf
    • https://cdn.shopify.com/s/files/1/0437/5016/2583/files/girilekiwi.pdf
    • https://cdn.shopify.com/s/files/1/0436/4235/5865/files/71115250722.pdf
    • https://cdn.shopify.com/s/files/1/0435/0243/6512/files/2009_mitsubishi_galant_owners_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006139.bin
799379e3cd946cc602bd9c5940d87910e7becbf4a1b7357e0e18b795cf5dd319		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6139 5192 bytes
font_01_sfnt_off000072e6.bin
28d2197e59d41bdffaa0be1781418b6b8b7e5d099dcb900fbf99627a4e6b2f7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72E6 10672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.