Malicious PDF — malware analysis report

Static analysis result for SHA-256 b160a8b61eccc511…

MALICIOUS

PDF

51.9 KB Created: 2020-08-30 19:09:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5753f0515154e0bd2071fc479f071d8c SHA-1: 20fbe38142e2efc89b3a0537eb48ab891f9f2f10 SHA-256: b160a8b61eccc511722f8c99647c6bfcfcc1e87eea387dc70d0c2d95b126fb35
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/wix?keyword=o+poder+do+habito'. This indicates the document's primary purpose is to redirect users to malicious infrastructure. The file also contains a large number of embedded links, many of which are to Shopify, but the critical heuristic overrides the benign reputation of those links. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=o+poder+do+habito
    • https://cdn.shopify.com/s/files/1/0434/4345/4102/files/18328298788.pdf
    • https://cdn.shopify.com/s/files/1/0430/7651/8049/files/71174687322.pdf
    • https://cdn.shopify.com/s/files/1/0432/9180/3801/files/makawajawotefilir.pdf
    • https://cdn.shopify.com/s/files/1/0428/7892/7011/files/50682617781.pdf
    • https://cdn.shopify.com/s/files/1/0437/9767/6192/files/irritating_ringtones_free_mobile.pdf
    • https://cdn.shopify.com/s/files/1/0428/3393/6547/files/difirevixazotu.pdf
    • https://static.usrfiles.com/ugd/b8c837_4d2c3bb36f12404e811aa3ac48835d09.pdf
    • https://static.usrfiles.com/ugd/b8c837_15e92f99d0184713afe8be59e0e5d453.pdf
    • https://static.usrfiles.com/ugd/de3d83_8859f9bc660345f5b2095e06f4877422.pdf
    • https://static.usrfiles.com/ugd/b8c837_9cd1557c1c2947198157ca595f286777.pdf
    • https://static.usrfiles.com/ugd/b8c837_b905e840e05e4104a64b7ce3b4252619.pdf
    • https://static.usrfiles.com/ugd/f09a9d_3802b52310cf40ab9b17725a6e64ef0f.pdf
    • https://static.usrfiles.com/ugd/3e5d97_150195fa04864ed8bfafe90889cbccec.pdf
    • https://static.usrfiles.com/ugd/f4de5e_1683b1bc2daa41218184c638aaef1a85.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008519.bin
2d886561af301c96b5c9c90518f16708caba9d989c0dc390043614b47d11ad85		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8519 5004 bytes
font_01_sfnt_off00009607.bin
daad3f347a4f42f432ee9983e619a7c063e36761dba5934b469418034847e28e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9607 1800 bytes
font_02_sfnt_off00009e95.bin
23cc80f2b8fae7a8643b06b87cfd471101bd288233fc3cbe26c1ce104c0df46c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9E95 10936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.