Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6cfbcf4ab48a84c…

MALICIOUS

PDF

55.4 KB Created: 2020-08-02 19:41:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6dc5ddc2539e442446a4ddc4f84227fc SHA-1: 8da93038197d6ef5b7bbf1ccc5da3edc27860e32 SHA-256: a6cfbcf4ab48a84c4c842a8271f575146484a45458c453a08c487774a7cf0132
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to a known malicious URL. The document body, though heavily obfuscated, contains the URL https://ttraff.cc/pify?keyword=xray+texture+pack+minecraft, which is likely intended to trick users into downloading malicious content by posing as a Minecraft texture pack. The PDF_SEO_LINK_FARM heuristic also indicates a large number of outbound links, many hosted on cdn.shopify.com, suggesting a link farm used for SEO poisoning or distributing malicious files.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=xray+texture+pack+minecraft
    • http://files.newhavenalphas.com/uploads/1/3/1/3/131379553/2904691.pdf
    • http://files.voguealamode.com/uploads/1/3/0/8/130874110/vadesorasoj_zuwobuto.pdf
    • http://files.jack-butler.com/uploads/1/3/0/9/130969762/kenunon-zeriforug-likanenelazofe.pdf
    • http://files.chippewavalleyleatherworks.com/uploads/1/3/1/6/131637640/ecb9d445db7d19.pdf
    • https://cdn.shopify.com/s/files/1/0437/5173/5448/files/buxave.pdf
    • https://cdn.shopify.com/s/files/1/0427/7708/4070/files/rodaronufexofizugati.pdf
    • https://cdn.shopify.com/s/files/1/0434/4512/5281/files/11183218312.pdf
    • https://cdn.shopify.com/s/files/1/0435/4713/2068/files/51559135367.pdf
    • https://cdn.shopify.com/s/files/1/0431/3631/9645/files/jekirorogelizoxapiwirofi.pdf
    • https://cdn.shopify.com/s/files/1/0436/0273/9362/files/kixodali.pdf
    • https://cdn.shopify.com/s/files/1/0431/7482/2043/files/86065995773.pdf
    • https://cdn.shopify.com/s/files/1/0428/4085/0598/files/72951017012.pdf
    • https://cdn.shopify.com/s/files/1/0431/8691/3431/files/dazotisenopejaboninavena.pdf
    • https://cdn.shopify.com/s/files/1/0434/3804/7388/files/fotupe.pdf
    • https://cdn.shopify.com/s/files/1/0427/7692/0220/files/70202166558.pdf
    • https://cdn.shopify.com/s/files/1/0434/2261/3655/files/21081487804.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009b5d.bin
c89070524eca22b02abc53613c2f46ae7836e0a151e5d0ebc95f59cc0ab31ba9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B5D 5160 bytes
font_01_sfnt_off0000ace7.bin
2856cc73a4644567067169085a05d6365a82e388a4865248243bd002df234a7f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xACE7 10632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.