Malicious PDF — malware analysis report

Static analysis result for SHA-256 a97d6d04d1bceaed…

MALICIOUS

PDF

56.3 KB Created: 2020-08-21 07:07:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 77d14353211c05f51fdc7fa8e79c4589 SHA-1: 37509b3b856fd5d0635df169c1f3c4d822575dfe SHA-256: a97d6d04d1bceaedba5549ca6e539d5b070f7641af9e1361de002fb3d49069ce
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains embedded links, with one critical heuristic identifying a link to a known malicious redirector at 'ttraff.com'. Another heuristic indicates a PDF link farm, suggesting an attempt to distribute or obscure malicious content. The document body, though heavily obfuscated, contains the malicious URL, reinforcing the lure. No scripts were extracted, but the presence of malicious redirector links strongly suggests a phishing or malware delivery attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=speak+now+1+pdf+%25D1%2581%25D0%25BA%25D0%25B0%25D1%2587%25D0%25B0%25D1%2582%25D1%258C
    • http://files.q-four.com/uploads/1/3/1/8/131856917/fevuwija.pdf
    • https://cdn.shopify.com/s/files/1/0432/0873/6927/files/87524331634.pdf
    • https://cdn.shopify.com/s/files/1/0430/9693/2505/files/42679540016.pdf
    • https://cdn.shopify.com/s/files/1/0432/6152/6166/files/8976014856.pdf
    • https://cdn.shopify.com/s/files/1/0433/4141/4568/files/smoke_detector_alarm_circuit.pdf
    • https://cdn.shopify.com/s/files/1/0430/7727/1703/files/47597206894.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/telisupuf.pdf
    • https://cdn.shopify.com/s/files/1/0428/2669/4822/files/laminates_and_veneers_in_dentistry.pdf
    • https://cdn.shopify.com/s/files/1/0428/8295/7478/files/62036011626.pdf
    • https://cdn.shopify.com/s/files/1/0437/0078/1208/files/visulup.pdf
    • https://cdn.shopify.com/s/files/1/0435/8524/1256/files/fitofubisob.pdf
    • https://cdn.shopify.com/s/files/1/0428/6644/2406/files/jalarijokopa.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vazakiliduvapi.pdf
    • https://cdn.shopify.com/s/files/1/0429/3489/4755/files/37476673528.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008d59.bin
6fa4da10fdb4d686b40dbbc6fe65ec44b2f4ff26a74bcf7c875fdc10b003171a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D59 5668 bytes
font_01_sfnt_off0000a053.bin
4979387b6e348f7478d2506bdee2dfbb3912f8e890e8f04266a77cad58df7423		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA053 16216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.