Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fee7ed4936fa72f…

MALICIOUS

PDF

54.2 KB Created: 2020-08-19 18:11:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8f648fd06cd6e7f1591fe0ccb38f6f0d SHA-1: 4a9b6e166f038761bbba69ce43478a47f2f2ff06 SHA-256: 9fee7ed4936fa72faf4ee1846dbf16cb548507f8e77039265e66097420e80867
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains this URL and appears to be a lure related to a song video. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many hosted on Shopify, suggesting an attempt to distribute further malicious content or engage in SEO manipulation for malicious purposes. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=baharo+phool+barsao+gana+video
    • http://files.aaichstudio.com/uploads/1/3/2/6/132696117/tujero_mumozumaxejapid_wakiwosek_xubifipotud.pdf
    • http://files.storytimewithteta.ca/uploads/1/3/1/6/131606901/3f72b3d3c.pdf
    • http://ferotuwav.nicholsworth.net/uploads/1/3/0/7/130740235/b9bad.pdf
    • https://cdn.shopify.com/s/files/1/0437/6612/0609/files/kexotiwaru.pdf
    • https://cdn.shopify.com/s/files/1/0430/6403/3429/files/97152752997.pdf
    • https://cdn.shopify.com/s/files/1/0439/2806/0059/files/kujesusopizipuzeteganinup.pdf
    • https://cdn.shopify.com/s/files/1/0435/4726/3128/files/mirae_asset_common_application_form.pdf
    • https://cdn.shopify.com/s/files/1/0437/5448/7969/files/takaw.pdf
    • https://cdn.shopify.com/s/files/1/0428/9386/9212/files/38071853675.pdf
    • https://cdn.shopify.com/s/files/1/0436/2820/0096/files/35394296615.pdf
    • https://cdn.shopify.com/s/files/1/0434/0878/5562/files/moxujawabisoke.pdf
    • https://cdn.shopify.com/s/files/1/0431/6237/0202/files/50270050564.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000672c.bin
b69ca66d4c7c2e3863bffbefb74308bfe33e29117bbda36abe6ca160a532962f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x672C 5472 bytes
font_01_sfnt_off000079bc.bin
67ee0fff1ee88cff10eec98586c94aa2e7863717645f12d5119363fc5036e966		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79BC 14700 bytes
font_02_sfnt_off0000a81e.bin
e93acd332f5893643511f4cefd38969ad5c744ad1b08842a788b6be7d277dd15		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA81E 16204 bytes
font_03_sfnt_off0000bd88.bin
48e474a21f239c4b5e5044f079f77ff0c31ba55506c12bb3c7800160c3876815		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBD88 3616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.