Malicious PDF — malware analysis report

Static analysis result for SHA-256 a27800783f1ca6bc…

MALICIOUS

PDF

45.0 KB Created: 2020-08-10 23:55:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64de42bcd12b2c116eda2b0b47634b3d SHA-1: 27dbea26c59a0acf6b1eac95a0e62ebd0dfc1568 SHA-256: a27800783f1ca6bc87254d5fd38064bb80f617b4f7f9481b275cd358df63dfcc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com'. It also contains a PDF link farm heuristic, with many links hosted on Shopify. The document body, though heavily obfuscated, contains the same malicious URL and several benign-looking Shopify URLs, suggesting a lure to download further content. The primary malicious URL is 'https://ttraff.com/pify?keyword=basic+workout+routine+pdf'.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=basic+workout+routine+pdf
    • http://tinugi.tmulder.studio/uploads/1/3/1/8/131871721/rinajiv_tixadotibumix.pdf
    • http://files.jwesleyfoundation.com/uploads/1/3/1/0/131070402/7f87438b4.pdf
    • http://pawovafax.leolinbowen.com/uploads/1/3/0/7/130775897/pekixona.pdf
    • https://cdn.shopify.com/s/files/1/0430/8582/4164/files/how_to_ace_the_uber_interview.pdf
    • https://cdn.shopify.com/s/files/1/0437/9394/0641/files/mazuxemax.pdf
    • https://cdn.shopify.com/s/files/1/0428/4363/5879/files/piwaronudimo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/59677855830.pdf
    • https://cdn.shopify.com/s/files/1/0441/2506/1272/files/el_almohadon_de_plumas_analisis.pdf
    • https://cdn.shopify.com/s/files/1/0431/0941/7127/files/91117578544.pdf
    • https://cdn.shopify.com/s/files/1/0431/4356/1384/files/69297914486.pdf
    • https://cdn.shopify.com/s/files/1/0432/0365/7887/files/fumiwakapapogubiwukam.pdf
    • https://cdn.shopify.com/s/files/1/0428/1873/2191/files/zeguniduf.pdf
    • https://cdn.shopify.com/s/files/1/0431/5440/7580/files/redok.pdf
    • https://cdn.shopify.com/s/files/1/0435/7442/7811/files/57963258023.pdf
    • https://cdn.shopify.com/s/files/1/0434/0344/4387/files/60341174624.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071fd.bin
dcc3da81f654e589751b98b4ea61702e1e6b919eea07c75409e93f0fed51abb4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71FD 5320 bytes
font_01_sfnt_off00008438.bin
4b85196a4994532d2c905038fe0d74fce01cb6b8d92cae96f29d6c90590bf727		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8438 10228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.