Malicious PDF — malware analysis report

Static analysis result for SHA-256 96ee9e8973f20a86…

MALICIOUS

PDF

47.6 KB Created: 2020-08-14 15:29:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 436915c71e600792c629cb401d8cf267 SHA-1: 014a87f886e9a02a710a2f66c13d3785e208c60a SHA-256: 96ee9e8973f20a86b60ee6f94eb75f5e8030d1899730a5e0a89603edc823613e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to lure users to malicious redirectors, specifically identified as 'https://ttraff.cc/pify?keyword=e+reporting+and+sales+analysis'. This heuristic firing indicates a phishing or social engineering attack. The document body, though heavily obfuscated, contains the same malicious URL, reinforcing the attack vector. No scripts were extracted, limiting further analysis of payload delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=e+reporting+and+sales+analysis
    • http://files.earth-shine-llc.com/uploads/1/3/0/7/130740391/4182410.pdf
    • http://files.rasaddleclublarkhill.com/uploads/1/3/1/4/131452815/2375411.pdf
    • http://geparu.dyncps.org/uploads/1/3/0/7/130775045/bunufu_xujigaligaru_palazogexasa.pdf
    • http://files.tangofilmsla.com/uploads/1/3/1/3/131379439/pemelotegivopaxixufi.pdf
    • https://cdn.shopify.com/s/files/1/0430/2418/7549/files/lezulunozofejojetusar.pdf
    • https://cdn.shopify.com/s/files/1/0430/4365/1741/files/botuwofodigadalezujafex.pdf
    • https://cdn.shopify.com/s/files/1/0429/4665/8463/files/27858173092.pdf
    • https://cdn.shopify.com/s/files/1/0431/5077/0333/files/55820580827.pdf
    • https://cdn.shopify.com/s/files/1/0438/9001/6424/files/jimazupozakotagifoga.pdf
    • https://cdn.shopify.com/s/files/1/0432/1270/1860/files/finujujavagalonuta.pdf
    • https://cdn.shopify.com/s/files/1/0436/3000/2336/files/sutasiz.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/parisibudipaxetiwori.pdf
    • https://cdn.shopify.com/s/files/1/0435/6934/8763/files/pavavuzexuxaxuwedezimib.pdf
    • https://cdn.shopify.com/s/files/1/0433/9482/6396/files/ascii_code_table_binary.pdf
    • https://cdn.shopify.com/s/files/1/0432/6617/9230/files/54491936815.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006fd1.bin
5ebb2b659f2a880d0cd437af08b6e6c63a24af632905e060e2403644e2aaf4db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FD1 5188 bytes
font_01_sfnt_off00008184.bin
6b3a668a512ae8fa8c1fd9e088f568d751c5ef6aa5655e3b3c8677c76e82679d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8184 15392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.