Malicious PDF — malware analysis report

Static analysis result for SHA-256 a659964b27f19daa…

MALICIOUS

PDF

35.1 KB Created: 2020-08-14 11:22:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5b2ca4183d1f6744d2e57e5e61e17629 SHA-1: 2531aac5bf00292c494d47777d2d0f654dced59d SHA-256: a659964b27f19daa5aad35c36ffbfa4cf755e87cde1d8baa288c55f55c59c1ed
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/pify?keyword=air+supply+full+album++zip'. Additionally, it exhibits a PDF link farm heuristic, embedding numerous external PDF links, with a dominant host of 'cdn.shopify.com'. The document body contains garbled text but includes the same redirector URL, suggesting a lure to download or view content, which then leads to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=air+supply+full+album++zip
    • http://files.ilovequebeccity.com/uploads/1/3/0/7/130775063/mopoxe.pdf
    • http://mefap.norcalbarns.com/uploads/1/3/2/6/132681352/rakamufamuxeraju.pdf
    • http://files.green-graphene.com/uploads/1/3/1/8/131856188/a185e5cb0ec508c.pdf
    • http://nevuripob.appenzellers.org/uploads/1/3/1/8/131871991/lokuliluja-devakegutexaxax-kozozujugemumif-sebimunu.pdf
    • https://cdn.shopify.com/s/files/1/0438/5583/9382/files/ragukijo.pdf
    • https://cdn.shopify.com/s/files/1/0432/2318/7616/files/40266692460.pdf
    • https://cdn.shopify.com/s/files/1/0430/6835/8807/files/78857147092.pdf
    • https://cdn.shopify.com/s/files/1/0433/6300/8664/files/94839007951.pdf
    • https://cdn.shopify.com/s/files/1/0434/3080/5653/files/5516408615.pdf
    • https://cdn.shopify.com/s/files/1/0433/8273/5006/files/kokakilalidewevata.pdf
    • https://cdn.shopify.com/s/files/1/0437/2345/6661/files/wokuf.pdf
    • https://cdn.shopify.com/s/files/1/0432/1089/9624/files/35995232651.pdf
    • https://cdn.shopify.com/s/files/1/0432/4527/3248/files/center_tapped_full_wave_rectifier.pdf
    • https://cdn.shopify.com/s/files/1/0430/5967/5290/files/15451734895.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b2e.bin
225bcbf7a206719e22e9c1b06728e8978d3b961c1ac61e5de89a9fd1259659c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B2E 5328 bytes
font_01_sfnt_off00005d43.bin
30ce910fb00e84d8cfab7812966e566f96bda983084de58e12afee147e4a0907		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D43 10128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.