Malicious PDF — malware analysis report

Static analysis result for SHA-256 926519a8294515db…

MALICIOUS

PDF

42.5 KB Created: 2020-08-10 00:50:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: de65041aca71a272689ba1f9d54558ba SHA-1: 4187346d62f8a624e9de3e139d1ce6de85ffec9e SHA-256: 926519a8294515db2a5f3986b4faf3fb34513a0aa22e8085f914f7bb51001bf2
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/pify?keyword=banking+case+study+questions+and+answers+pdf'. This URL, combined with the 'SE_PAYMENT_REDIRECT_LURE' heuristic, strongly suggests a business email compromise or phishing attempt related to financial transactions. The document also exhibits a PDF link farm, with numerous links hosted on cdn.shopify.com, likely to obscure the malicious redirector and improve search engine visibility.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=banking+case+study+questions+and+answers+pdf
    • http://files.derrickanthonyking.com/uploads/1/3/1/4/131454505/199e8f7f22d.pdf
    • http://files.bryndolman.com/uploads/1/3/0/7/130775753/ritoteniwop.pdf
    • http://files.hikesdelmon.com/uploads/1/3/0/7/130775817/ba44415160.pdf
    • https://cdn.shopify.com/s/files/1/0437/4790/1592/files/31481966794.pdf
    • https://cdn.shopify.com/s/files/1/0434/9899/5864/files/wgu_readiness_assessment.pdf
    • https://cdn.shopify.com/s/files/1/0431/9313/9364/files/42337986193.pdf
    • https://cdn.shopify.com/s/files/1/0431/1898/5377/files/synonyms_and_antonyms_mcqs_with_answers.pdf
    • https://cdn.shopify.com/s/files/1/0438/2107/2546/files/lil_boosie_thriller.pdf
    • https://cdn.shopify.com/s/files/1/0430/5725/0455/files/29567564068.pdf
    • https://cdn.shopify.com/s/files/1/0434/9516/2022/files/faxudovojisoxazegumifob.pdf
    • https://cdn.shopify.com/s/files/1/0432/8616/7702/files/91937310310.pdf
    • https://cdn.shopify.com/s/files/1/0428/7728/8611/files/69459833123.pdf
    • https://cdn.shopify.com/s/files/1/0436/1653/4685/files/31595902116.pdf
    • https://cdn.shopify.com/s/files/1/0432/4851/7275/files/dog_pile_com.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000067cd.bin
fd7612afb2419ea97d12f5eea32a30009108aa8e21ade4728c638d770f4994a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67CD 5724 bytes
font_01_sfnt_off00007b73.bin
83a941bce92efb1dc0636887fe063dddcefd4c1d8ebfaa3f0e5427489ccfd682		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B73 9920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.