Malicious PDF — malware analysis report

Static analysis result for SHA-256 a867add34a1f196f…

MALICIOUS

PDF

51.5 KB Created: 2020-08-15 02:31:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8586e62839be54051c859c35e0123520 SHA-1: dcc49374e0266ae030f94b70c6e0633bf9593655 SHA-256: a867add34a1f196f16697524e11a99e028be6ab9ab9efba465a0de845aa474e4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/pify?keyword=cinderella+transformation+dress+pattern', indicating a lure to a malicious site. The presence of PDF_MALICIOUS_REDIRECTOR_LINK and PDF_SEO_LINK_FARM heuristics strongly suggests a phishing or scam attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=cinderella+transformation+dress+pattern
    • http://files.simpleflight.net/uploads/1/3/1/3/131380849/watepitadizu.pdf
    • http://vuroji.santasacksbyreno.com/uploads/1/3/1/4/131453134/mojafoxin.pdf
    • http://files.hairandbeautysuppliesireland.com/uploads/1/3/1/6/131606330/nivumarorux.pdf
    • http://gavib.insper.com/uploads/1/3/0/7/130738993/wejuxoj.pdf
    • http://files.christianlisker.com/uploads/1/3/1/4/131453870/5be2971.pdf
    • https://cdn.shopify.com/s/files/1/0440/1401/0518/files/dekitopujapijam.pdf
    • https://cdn.shopify.com/s/files/1/0427/6345/2583/files/radiographic_cephalometry_jacobson.pdf
    • https://cdn.shopify.com/s/files/1/0433/4256/1433/files/60465353230.pdf
    • https://cdn.shopify.com/s/files/1/0433/6635/0998/files/suxosonatebekigonugopivo.pdf
    • https://cdn.shopify.com/s/files/1/0437/9980/6113/files/fire_emblem_sword_of_seal_rom.pdf
    • https://cdn.shopify.com/s/files/1/0430/0318/3258/files/189669876.pdf
    • https://cdn.shopify.com/s/files/1/0428/4320/9895/files/6244568070.pdf
    • https://cdn.shopify.com/s/files/1/0430/0649/2831/files/beautiful_in_white_piano_sheet_free.pdf
    • https://cdn.shopify.com/s/files/1/0432/9367/1588/files/varuxonomofupupa.pdf
    • https://cdn.shopify.com/s/files/1/0433/6225/5006/files/51501125356.pdf
    • https://cdn.shopify.com/s/files/1/0431/8894/5064/files/wewenaros.pdf
    • https://cdn.shopify.com/s/files/1/0433/7215/0942/files/fopetejozogizazipa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008ba4.bin
1b85edef95a53c4ecff21a57efd133910798e79337ad4927dc1a27d96365d2be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BA4 5092 bytes
font_01_sfnt_off00009cd2.bin
cf5cfabce21af6708addae5789574af87382b0deebab8ae8185c5bdd662175a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9CD2 10472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.