Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2dae4d82b3401fd…

MALICIOUS

PDF

39.8 KB Created: 2020-07-29 04:27:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 48b978dc0a2f9263b427fddccce70a36 SHA-1: e61b18f6effed7f1308565a9f47a9356c2d36221 SHA-256: a2dae4d82b3401fda524041eeb50c2641842826ab1b82d282afe476b9a33baad
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/pify?keyword=girl+guides+canada+uniform'. This URL is presented within the document's content, likely as a lure. The file also exhibits characteristics of a link farm, with numerous external PDF links, many hosted on cdn.shopify.com. No scripts were extracted, and the document body was heavily obfuscated, but the presence of the malicious redirector is the primary indicator of compromise.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=girl+guides+canada+uniform
    • http://files.diocesanchurchdevelopment.org/uploads/1/3/1/6/131606360/fagafumob-xuxumibiwodare-dizofet.pdf
    • http://files.scacsl.com/uploads/1/3/2/6/132681409/1a081ca1b.pdf
    • http://files.my-family-lore.com/uploads/1/3/0/9/130969012/tezipoxelaxunixe.pdf
    • https://cdn.shopify.com/s/files/1/0437/8748/5342/files/wugasokuwezi.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/87960197539.pdf
    • https://cdn.shopify.com/s/files/1/0432/0978/5512/files/zezerowanijusobanujabab.pdf
    • https://cdn.shopify.com/s/files/1/0436/4196/2649/files/vikewitogolobojojon.pdf
    • https://cdn.shopify.com/s/files/1/0430/5905/2706/files/nolakiri.pdf
    • https://cdn.shopify.com/s/files/1/0437/3640/0037/files/jixokinijexilekexaxojat.pdf
    • https://cdn.shopify.com/s/files/1/0438/5538/0630/files/kugazopip.pdf
    • https://cdn.shopify.com/s/files/1/0439/4234/6907/files/gizoresaz.pdf
    • https://cdn.shopify.com/s/files/1/0432/2073/0020/files/40794479357.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/pafinekumukomotutawewokab.pdf
    • https://cdn.shopify.com/s/files/1/0437/2057/3082/files/sakarenemipurelinig.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0430/5905/2706/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005dcd.bin
4561e80264bcc3267a7591d4752f066772e3d04914610747db50358362ad5f76		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DCD 5172 bytes
font_01_sfnt_off00006f41.bin
0f9e88c58efb63dca0a5d2514c2dec92234c56a6bdeaa6276a0112418dc776e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F41 10116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.