Malicious PDF — malware analysis report

Static analysis result for SHA-256 9430c9df372a9850…

MALICIOUS

PDF

35.1 KB Created: 2020-08-02 18:23:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5d7d93a9d9f124aec21986e3a0d82867 SHA-1: d6a39fea00ed4b193b5b81e3bbb05e0c5245b9a1 SHA-256: 9430c9df372a9850284d39a7881e80bada8c51612df59aec09e30fde679c75de
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com', which is used in a lure related to agricultural tools. It also exhibits characteristics of a link farm, embedding numerous external links, many of which point to Shopify domains. The primary malicious IOC is the redirector URL, which is likely intended to lead the user to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=herramientas%20manuales%20agricolas%20precio
    • http://files.courtneybeardall.com/uploads/1/3/0/7/130739628/dusojitivasut-xigelumabujo.pdf
    • http://files.pathwayworship.net/uploads/1/3/1/3/131384638/xapogeti-bibivivexad-fimope-josoveti.pdf
    • http://files.settimocieloretreat.com/uploads/1/3/1/4/131408353/d7f7468f8288797.pdf
    • https://cdn.shopify.com/s/files/1/0437/3502/3770/files/national_electrical_safety_code_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0437/3990/6209/files/30978374340.pdf
    • https://cdn.shopify.com/s/files/1/0437/5783/0298/files/wejopugaxikuburut.pdf
    • https://cdn.shopify.com/s/files/1/0434/8149/7766/files/zisozonamularutodizilole.pdf
    • https://cdn.shopify.com/s/files/1/0438/0668/7389/files/48090831413.pdf
    • https://cdn.shopify.com/s/files/1/0435/2396/5079/files/lutugade.pdf
    • https://cdn.shopify.com/s/files/1/0434/5013/8784/files/28882038446.pdf
    • https://cdn.shopify.com/s/files/1/0430/0177/4233/files/85839629736.pdf
    • https://cdn.shopify.com/s/files/1/0435/9490/7810/files/lunavefiwemebulirilubinux.pdf
    • https://cdn.shopify.com/s/files/1/0432/2865/9870/files/kuvokev.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tufajotojitumawudawemir.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004cba.bin
9344cb80bbaeaaf744671687db467d2d3e46a948bfc3a26cb8d57ce4836d2847		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4CBA 5216 bytes
font_01_sfnt_off00005e5f.bin
3f03ac6318f203691530ff27eee7b7383d9aea6d86c07287a64685aadb40eec9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E5F 9788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.