Malicious PDF — malware analysis report

Static analysis result for SHA-256 b38c141542079bd3…

MALICIOUS

PDF

48.6 KB Created: 2020-08-26 02:15:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 68f9f5527436761c7ad422d3765638bc SHA-1: 0a7dd884f80e39b2435c6d7b1987b9b87847fcfb SHA-256: b38c141542079bd389a4c05600233adca5cc22fbaa6dc900f8c25e0724c37f31
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.cc, which is designed to lead users to further malicious content. The document also functions as a link farm, containing numerous links to external PDFs, many hosted on cdn.shopify.com, with the intent of SEO manipulation or distributing further payloads. The presence of a malicious redirector link indicates a phishing or social engineering attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=fumigar+para+polillas+de+madera
    • http://giwedod.laocdb.com/uploads/1/3/1/4/131482916/jagewomum.pdf
    • http://files.downersgrovecpr.com/uploads/1/3/1/4/131410479/sajilusorisofixus.pdf
    • https://cdn.shopify.com/s/files/1/0433/0881/0398/files/wepomufaguxedizebaw.pdf
    • https://cdn.shopify.com/s/files/1/0431/6794/0765/files/robotic_arm_introduction.pdf
    • https://cdn.shopify.com/s/files/1/0434/7746/7288/files/negowokesinavorazezikojaw.pdf
    • https://cdn.shopify.com/s/files/1/0436/4327/3369/files/crime_scene_report_example.pdf
    • https://cdn.shopify.com/s/files/1/0440/6909/3541/files/giforekib.pdf
    • https://cdn.shopify.com/s/files/1/0452/5981/7117/files/jigefev.pdf
    • https://cdn.shopify.com/s/files/1/0432/1063/7476/files/49895715708.pdf
    • https://cdn.shopify.com/s/files/1/0432/7142/2102/files/17854706877.pdf
    • https://cdn.shopify.com/s/files/1/0431/5037/7126/files/biostatistics_lecture_notes_ethiopia.pdf
    • https://cdn.shopify.com/s/files/1/0430/2071/4137/files/bikifotibu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007ccd.bin
07942ec30aff7652009332381bc1ab30f025b322f464ff492d3b58efabc6b6d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CCD 5236 bytes
font_01_sfnt_off00008e7b.bin
6f806a97d7262d20aed9f86fc0884901215a91b0cd429c65d3a4a00eb1053021		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E7B 11528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.