Malicious PDF — malware analysis report

Static analysis result for SHA-256 aec2e9dd69b70358…

MALICIOUS

PDF

48.4 KB Created: 2020-08-20 01:31:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 41378d8f6bc56ff40f8eeafd21bccfcf SHA-1: 02493ccbbcd4ec3dd842798a256b399147f52dac SHA-256: aec2e9dd69b70358f55b7f5efa32603b91c6565f62436de43596f1207f3dfcf1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=movie+magic+budgeting+software+free'. This indicates a social engineering lure, likely attempting to trick the user into downloading malware or visiting a phishing site. The document body, though heavily obfuscated, contains text related to 'Movie magic budgeting software free', reinforcing the lure. The presence of numerous external PDF links, many hosted on Shopify, suggests a link farm used for SEO poisoning or distributing malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=movie+magic+budgeting+software+free
    • http://vezesi.helpinghandsrescue.org/uploads/1/3/2/8/132815806/dizaku_webeto_dimokekipune_tones.pdf
    • http://files.radiowavz.com/uploads/1/3/1/4/131438676/welaferoxidusowag.pdf
    • http://files.gracefulbellephotography.com/uploads/1/3/1/8/131857305/4111523.pdf
    • http://zubexa.leifrichardson.org/uploads/1/3/1/4/131407315/tuxoboxamegukesize.pdf
    • http://virexekus.keithnickels.com/uploads/1/3/1/6/131606490/maseb-wivobavitirapor-topew.pdf
    • https://cdn.shopify.com/s/files/1/0432/2387/5746/files/galewusowolotilira.pdf
    • https://cdn.shopify.com/s/files/1/0433/4718/1718/files/wugasanovat.pdf
    • https://cdn.shopify.com/s/files/1/0431/4185/7448/files/oral_hygiene_definition.pdf
    • https://cdn.shopify.com/s/files/1/0435/3523/7269/files/assembler_gratuit.pdf
    • https://cdn.shopify.com/s/files/1/0449/2699/2551/files/27599071055.pdf
    • https://cdn.shopify.com/s/files/1/0434/7763/1126/files/93083073184.pdf
    • https://cdn.shopify.com/s/files/1/0435/5745/3985/files/84435582464.pdf
    • https://cdn.shopify.com/s/files/1/0430/3152/7575/files/covariance_analysis_of_censored_survival_data.pdf
    • https://cdn.shopify.com/s/files/1/0437/6340/0861/files/publicity_definition.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007e16.bin
603f12186e18ad4a503aa1395e93a35c1fc2db18fc557262cd061ef7d7eb95e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E16 5604 bytes
font_01_sfnt_off0000912e.bin
c071f1b07781e03ff0d80b890fecfd68dfba74e13b0c076b2da65408cde9feca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x912E 10528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.