Malicious PDF — malware analysis report

Static analysis result for SHA-256 a7c5920822dc3e91…

MALICIOUS

PDF

43.6 KB Created: 2020-08-11 07:19:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4d1ac9151c509c6d90474e48dbece156 SHA-1: 7b7f1aa12568a7d3cfd5c866f3426e1ddd6e8a58 SHA-256: a7c5920822dc3e91cf1911c39e8fec72134b0407c0cf30f01df0430d851dc3c1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.com, disguised with a lure related to downloading books. The document body, though heavily obfuscated, contains the same URL and other links to Shopify domains, likely part of a link farm to improve search engine ranking for malicious content. The primary attack vector appears to be social engineering through a deceptive document title and embedded links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=baixar+todos+os+livros+apocrifos+pdf
    • http://luranuru.tnsportsfoundation.org/uploads/1/3/1/4/131437657/849038.pdf
    • http://gituvob.collectifcontraceptionliege.com/uploads/1/3/0/7/130775403/budoz-zupugeruketi-ligoga-soregof.pdf
    • http://files.achcew.org/uploads/1/3/2/3/132303147/060f6702.pdf
    • http://files.brokenhartarena.org/uploads/1/3/2/7/132710627/jogumijojuge_takuk_renuregozanupu_jiwozonugikene.pdf
    • http://xagane.marktmueller.com/uploads/1/3/0/9/130969723/vapimotur_nagisodev_xamewefudiv_papibudaparego.pdf
    • https://cdn.shopify.com/s/files/1/0437/1152/9114/files/46709889460.pdf
    • https://cdn.shopify.com/s/files/1/0435/5391/5043/files/nudimavi.pdf
    • https://cdn.shopify.com/s/files/1/0432/1171/8820/files/zaxinewipoje.pdf
    • https://cdn.shopify.com/s/files/1/0430/7727/1716/files/3346165543.pdf
    • https://cdn.shopify.com/s/files/1/0435/2992/8872/files/magic_jack_installation.pdf
    • https://cdn.shopify.com/s/files/1/0431/7400/2837/files/73340443032.pdf
    • https://cdn.shopify.com/s/files/1/0450/3034/2806/files/insectivorous_plants_pictures_with_names_and_information.pdf
    • https://cdn.shopify.com/s/files/1/0437/6271/2734/files/el_camino_de_la_kabbalah.pdf
    • https://cdn.shopify.com/s/files/1/0434/7779/4982/files/periodic_table_worksheets.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b26.bin
ef6143fab3ac9bd053cb7ababf9af21a8da36e2ce2e46ca79cc75378016bfbb1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B26 4892 bytes
font_01_sfnt_off00006be0.bin
a032542ac97c641fcb7eba87cbf744680b0a2fcbd77ee5b6708352223b2c225e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BE0 12612 bytes
font_02_sfnt_off00009204.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9204 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.