Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c47013d959c20df…

MALICIOUS

PDF

40.4 KB Created: 2020-08-21 01:02:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6bb2b9609a7f30c0c264fc4eb29d964e SHA-1: b8f2284e3d1646185f86eefdeb3e99c58ba19efc SHA-256: 9c47013d959c20df8e8f0f89d7bb60e01fc0f422233116a299d504998c21a915
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a lure related to a "Bkash app offer" and embeds a critical link to a known malicious redirector at https://ttraff.ru/pify?keyword=bkash+app++offer. This indicates a phishing or scam attempt designed to redirect users to malicious infrastructure. The PDF also contains a large number of embedded links, many pointing to benign Shopify URLs, but the presence of the malicious redirector is the primary indicator of compromise.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=bkash+app++offer
    • http://files.zaratelabs.com/uploads/1/3/1/6/131636941/votow_niwuf_wevofonugan.pdf
    • https://cdn.shopify.com/s/files/1/0431/5106/5243/files/tina_turner_acid_queen.pdf
    • https://cdn.shopify.com/s/files/1/0432/5313/7570/files/sagukeragufulatatelesi.pdf
    • https://cdn.shopify.com/s/files/1/0432/5851/1510/files/ultrastructure_de_la_cellule_vegetale.pdf
    • https://cdn.shopify.com/s/files/1/0430/7173/3917/files/47679528854.pdf
    • https://cdn.shopify.com/s/files/1/0435/2344/0792/files/sodium_metabisulfite_in_food.pdf
    • https://cdn.shopify.com/s/files/1/0429/2060/7900/files/carreteras_secundarias_libro.pdf
    • https://cdn.shopify.com/s/files/1/0429/7709/9935/files/bowopomagapopij.pdf
    • https://cdn.shopify.com/s/files/1/0429/2267/2284/files/cpt_code_99203_fact_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0432/1614/2497/files/67729479986.pdf
    • https://cdn.shopify.com/s/files/1/0429/9600/7065/files/25693095579.pdf
    • https://cdn.shopify.com/s/files/1/0427/5562/1031/files/64112206080.pdf
    • https://cdn.shopify.com/s/files/1/0447/0479/2729/files/english_grammar_rules_and_usage.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a36.bin
22110c813790f87422d691bc5388fb80bf784763a7199109d39bb4a3d8642e33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A36 5068 bytes
font_01_sfnt_off00006b73.bin
41a38dfe8c6ed9742acc1336b2dc9137f2a7c706171612c9eaeb2701a19ef129		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B73 13028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.