Malicious PDF — malware analysis report

Static analysis result for SHA-256 a31c61572fde511c…

MALICIOUS

PDF

42.6 KB Created: 2020-08-13 22:47:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5111fcd2dceb3937a541b561b2c99ffe SHA-1: 66b16c28fd475b6bff6fc5e1ef89a96ff5d84ce8 SHA-256: a31c61572fde511c52e295bd7971e0981ae7ec9ff1d40a6eeb357458ced06437
208 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1204.002 User Execution: Malicious File T1059 Command and Scripting Interpreter T1059.003 Command and Scripting Interpreter: Windows Command Shell

The PDF contains a malicious redirector link and a link farm, indicating a social engineering lure. The document body and heuristics suggest the user is instructed to copy and paste commands, consistent with ClickFix attacks designed to bypass macro restrictions. The primary malicious URL is https://ttraff.cc/pify?keyword=gdi32.+dll+for+windows+8, which likely serves as a downloader for a second-stage payload.

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=gdi32.+dll+for+windows+8
    • http://files.bittermansguide.com/uploads/1/3/1/3/131398135/gogezam-feserufuluwojij-nuxajasonope.pdf
    • http://duxejod.somethingsoldsomethingsnew.com/uploads/1/3/2/7/132710780/dokoxi.pdf
    • http://files.oace.co/uploads/1/3/1/3/131381781/parotakime.pdf
    • http://files.faisslibrary.com/uploads/1/3/2/3/132302970/nagevinemenogozon.pdf
    • https://cdn.shopify.com/s/files/1/0430/3699/9842/files/38207921179.pdf
    • https://cdn.shopify.com/s/files/1/0439/2543/8619/files/brand_awareness_measurement_scale.pdf
    • https://cdn.shopify.com/s/files/1/0428/0126/6851/files/31451408515.pdf
    • https://cdn.shopify.com/s/files/1/0434/4460/0999/files/kenmore_sewing_machine_model_158_service_manual.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/pizegavegip.pdf
    • https://cdn.shopify.com/s/files/1/0434/1281/6034/files/71228512008.pdf
    • https://cdn.shopify.com/s/files/1/0428/9065/7951/files/kavajufekawuladubikew.pdf
    • https://cdn.shopify.com/s/files/1/0433/1218/5499/files/30743104280.pdf
    • https://cdn.shopify.com/s/files/1/0432/7309/3288/files/71808694801.pdf
    • https://cdn.shopify.com/s/files/1/0434/5724/9430/files/ripogebaw.pdf
    • https://cdn.shopify.com/s/files/1/0429/4829/6863/files/port_open_check.pdf
    • https://cdn.shopify.com/s/files/1/0437/4138/0759/files/kegigavirimopin.pdf
    • https://cdn.shopify.com/s/files/1/0434/2264/6422/files/kafelalipafomowufu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f53.bin
0d5bfefbafe785a8daf17f0eae0357e20ec6a2a03045d5f5f0cae8dc3e377811		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F53 5336 bytes
font_01_sfnt_off000071a4.bin
f6d8ecdcd1a397b3d068347db90158c49fcc1db3c0c8ea1bbdf92044af7ce9e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71A4 10148 bytes
font_02_sfnt_off00009470.bin
99dc99f891051cdbd138958a66ea6383a557cc7486c0c5acb0cb3ed99139840e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9470 2072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.