Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bb579b1599ca10b…

MALICIOUS

PDF

48.3 KB Created: 2020-08-29 08:18:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7b4400ad21e81081143172827cc7ae1f SHA-1: 2814ff1cf5351233c3a490731b7616fdc46a00b4 SHA-256: 9bb579b1599ca10b4e687e12a4dcc2cc9decbbbb4e066a49216e4fb83614766f
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a lure related to invoice approval, as indicated by the 'SE_INVOICE_LURE' heuristic. It embeds numerous links, with a critical finding being a link to known malicious redirector infrastructure at 'https://ttraff.ru/wix?keyword=invoice+approval+form+template+free'. The PDF also features a link farm, pointing to many external PDFs, predominantly hosted on shopify.com and static.usrfiles.com. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=invoice+approval+form+template+free
    • https://cdn.shopify.com/s/files/1/0429/6104/3605/files/bootstrap_form_input_type_color.pdf
    • https://cdn.shopify.com/s/files/1/0440/0345/9230/files/41455648772.pdf
    • https://cdn.shopify.com/s/files/1/0429/8565/2375/files/laporan_pendahuluan_fistula_ani.pdf
    • https://cdn.shopify.com/s/files/1/0432/0254/3778/files/britannica_illustrated_science_library_ecology.pdf
    • https://cdn.shopify.com/s/files/1/0429/3358/4028/files/80122234749.pdf
    • https://static.usrfiles.com/ugd/b8c837_7a2a6f31a632415b9c76541145582218.pdf
    • https://static.usrfiles.com/ugd/b8c837_aecadd9cdb7045529b35631a50221f2e.pdf
    • https://static.usrfiles.com/ugd/b8c837_06f4b874ea354103be66a26c2c57c641.pdf
    • https://static.usrfiles.com/ugd/b8c837_407c605c881c44f1a4d6a1741ebced12.pdf
    • https://static.usrfiles.com/ugd/b8c837_3333b93d602148d5a90ff195de6b3302.pdf
    • https://static.usrfiles.com/ugd/b8c837_42246c1f7e694986bcaaca0ab1f366a2.pdf
    • https://static.usrfiles.com/ugd/b8c837_6af7c90fc7c6482182a8da4ad1b15588.pdf
    • https://static.usrfiles.com/ugd/b8c837_319dcc4883274e6bb420b8e9bea3a978.pdf
    • https://static.usrfiles.com/ugd/b8c837_54730b8e1bef4a45af9400fd92cb71b1.pdf
    • https://static.usrfiles.com/ugd/b8c837_abdb5ec905934ac38841caae9bb13ccf.pdf
    • https://static.usrfiles.com/ugd/b8c837_bb28bba2e9e2433cb5d6891e4461d7a4.pdf
    • https://static.usrfiles.com/ugd/b8c837_b74dfd45a8ad4ce9b38ab136b8467e9c.pdf
    • https://static.usrfiles.com/ugd/b8c837_4d1a1d37448548b1a9bbe40b3a861ae5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000072e1.bin
604720ba064e2acfa4b46b6774784b7ac0bb3625cc8d1f9f5b2991d5126f1fad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72E1 4768 bytes
font_01_sfnt_off000082f5.bin
18abaf72cfe4bc435ab0362a879470491c1adfea109be1f173379efd11ea8185		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82F5 10332 bytes
font_02_sfnt_off0000a62c.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA62C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.