Malicious PDF — malware analysis report

Static analysis result for SHA-256 973b12c38c26471d…

MALICIOUS

PDF

41.6 KB Created: 2020-08-14 20:49:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5adeded8e1d5cd82190adb24faf2ba5c SHA-1: a1bab1a9eabcba50454902c2da2dff571fc1f634 SHA-256: 973b12c38c26471d14f20d48cccc69e990182b5482bc199d012bc25915fd43ff
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with a critical heuristic identifying a link to a known malicious redirector at 'https://ttraff.com/pify?keyword=credit+suisse+wealth+report+2017'. Another heuristic indicates a large number of external PDF links, suggesting a link farm. The document body, though heavily obfuscated, contains references to 'Credit Suisse wealth report 2017' and the malicious URL, reinforcing the lure. No scripts were extracted, but the primary attack vector appears to be social engineering via malicious links within the PDF.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=credit+suisse+wealth+report+2017
    • http://files.davecameronphotography.com/uploads/1/3/1/6/131606844/5238851.pdf
    • http://files.thejambalayashoppe.com/uploads/1/3/1/3/131398515/73a5ac06bd.pdf
    • http://files.harvestharrisburg.org/uploads/1/3/1/4/131407067/jemawigufesijakiv.pdf
    • http://files.victoria-security.com/uploads/1/3/0/7/130776511/mekog_jesatokasuzisi_mibilugorapumo_vukesogezafij.pdf
    • https://cdn.shopify.com/s/files/1/0441/0382/7608/files/50738343797.pdf
    • https://cdn.shopify.com/s/files/1/0440/2076/0741/files/gemstone_of_bloodaxe.pdf
    • https://cdn.shopify.com/s/files/1/0439/6895/4526/files/suwog.pdf
    • https://cdn.shopify.com/s/files/1/0440/9825/7048/files/bonemuzenomuvubusozi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9223/0823/files/accuweather_vancouver_wa.pdf
    • https://cdn.shopify.com/s/files/1/0432/8233/3851/files/57196776373.pdf
    • https://cdn.shopify.com/s/files/1/0429/5104/9370/files/rilefufizu.pdf
    • https://cdn.shopify.com/s/files/1/0430/9729/2967/files/83037442179.pdf
    • https://cdn.shopify.com/s/files/1/0432/0018/4477/files/ccna_routing_and_switching_lab_workbook_200_125.pdf
    • https://cdn.shopify.com/s/files/1/0430/7327/4018/files/dodokugaj.pdf
    • https://cdn.shopify.com/s/files/1/0432/6942/3269/files/leremezipeliba.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006394.bin
3cde1923dee0180bf08c32e94abeef2168d0cf31e7a834ab6936f8ade6272143		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6394 5448 bytes
font_01_sfnt_off0000762c.bin
52de1e9f888e95e67525bd70a05b1e8a97991287605f53b048ac27e3ee8937e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x762C 10424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.