Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fff6ce1834ef4c8…

MALICIOUS

PDF

50.9 KB Created: 2020-08-30 19:46:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 91271dfeba47483135f5e470e96392c2 SHA-1: 4b1efed63ae224aa1148123d1a38df49bc1e6bd7 SHA-256: 9fff6ce1834ef4c82dba4a0c2a31bf50928b83c72822026f5cc2d8002e27bd6c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits a PDF link farm behavior, with numerous links to external PDFs, including one hosted on 'cdn.shopify.com'. The document body contains the same malicious URL, reinforcing the intent to redirect the user. No scripts were extracted, and the family is unknown due to the lack of specific indicators.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=peptidoglycan+in+a+gram-positive+cell
    • https://cdn.shopify.com/s/files/1/0434/0659/0106/files/36426409478.pdf
    • https://cdn.shopify.com/s/files/1/0434/2490/7414/files/powujikijukisepazanoto.pdf
    • https://cdn.shopify.com/s/files/1/0440/6237/6088/files/approaching_minimums_sound.pdf
    • https://cdn.shopify.com/s/files/1/0437/8509/3272/files/lobolitobekewutukemuzi.pdf
    • https://static.usrfiles.com/ugd/b8c837_63d74fb18a554f81931d84a70dbeb211.pdf
    • https://static.usrfiles.com/ugd/865d50_3b0d157f23a340f794477786acf4fad9.pdf
    • https://cdn.shopify.com/s/files/1/0431/7223/3376/files/rijuwefelofepo.pdf
    • https://cdn.shopify.com/s/files/1/0435/8491/3563/files/datidifizodokusadaxopetog.pdf
    • https://cdn.shopify.com/s/files/1/0431/6993/9612/files/gexatijax.pdf
    • https://cdn.shopify.com/s/files/1/0431/4306/9845/files/customary_law_download.pdf
    • https://cdn.shopify.com/s/files/1/0428/4317/7126/files/93465019544.pdf
    • https://cdn.shopify.com/s/files/1/0428/1440/6823/files/61618077227.pdf
    • https://cdn.shopify.com/s/files/1/0435/7423/1199/files/fofunanubufa.pdf
    • https://cdn.shopify.com/s/files/1/0431/8350/5570/files/anansi_trickster_tales.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008565.bin
ed9eca89cead21b5b798a45a447f662b50e9d12904d6f47d5bae3d3e929a73a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8565 5588 bytes
font_01_sfnt_off00009858.bin
ef95f9a47e3497c2d9633c0478f0aae2a9b95175cf60eb7dd4f086668e7b4293		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9858 10588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.