Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e2b54ac8c2d4b25…

MALICIOUS

PDF

69.1 KB Created: 2020-07-31 18:50:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f915e4068d9bc9076b73b222a2effcf SHA-1: d238c6e8782c61469a41bfcfebcec165728393e1 SHA-256: 9e2b54ac8c2d4b25c9f212631faba14ce87fed726d08fd2ec9f47813cae14e7d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.ru', which is used in a lure for a 'Shopify cheat sheet'. The document body also contains this URL. The PDF also exhibits characteristics of a link farm, with numerous embedded links, many pointing to cdn.shopify.com, likely to appear legitimate. The primary malicious IOC is the redirector URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=shopify+cheat+sheet
    • http://files.yogawithcarolinesmart.uk/uploads/1/3/0/8/130874658/7648804.pdf
    • http://files.selfhealingsuperfoods.com/uploads/1/3/1/8/131857914/tufelalozutume.pdf
    • http://files.trivvy.nl/uploads/1/3/1/4/131437680/8789266.pdf
    • https://cdn.shopify.com/s/files/1/0431/4392/1820/files/jusipajamatefiludi.pdf
    • https://cdn.shopify.com/s/files/1/0437/9358/0189/files/zexizijof.pdf
    • https://cdn.shopify.com/s/files/1/0432/7315/8812/files/semebotemovebodanoxekumad.pdf
    • https://cdn.shopify.com/s/files/1/0431/8029/4298/files/fitadopexez.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/78683638278.pdf
    • https://cdn.shopify.com/s/files/1/0428/4389/8019/files/pajutibolerezodo.pdf
    • https://cdn.shopify.com/s/files/1/0428/7276/6631/files/sizega.pdf
    • https://cdn.shopify.com/s/files/1/0429/7680/5023/files/51147253167.pdf
    • https://cdn.shopify.com/s/files/1/0431/4464/2715/files/94136131139.pdf
    • https://cdn.shopify.com/s/files/1/0429/2182/0313/files/47692352533.pdf
    • https://cdn.shopify.com/s/files/1/0438/8870/5688/files/kofipibofopapu.pdf
    • https://cdn.shopify.com/s/files/1/0435/5283/3695/files/43875023994.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c2bf.bin
614b2f69ab61ea4f9517d389afdbdc63df5bbe6836ca2e25f5c92f8d13a531bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC2BF 5180 bytes
font_01_sfnt_off0000d46d.bin
6bac4852be02f74c563d98cb986c848bb8677011e62930ff7065c6b23d6aa960		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD46D 16268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.