Malicious PDF — malware analysis report

Static analysis result for SHA-256 b46839e08271b5a1…

MALICIOUS

PDF

42.7 KB Created: 2020-08-15 03:15:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 89cb062c357aabdb65dcda6c545658b9 SHA-1: 0efff0894924e1d049a47b6f9ee65f32852deee6 SHA-256: b46839e08271b5a1871b5bb35907e6dc1b9293fb2f41851ef8ede3e962d1bf70
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a mass of external links, including a critical link to a known malicious redirector at "https://ttraff.cc/pify?keyword=child+apperception+test+manual". The document body, though heavily obfuscated, also contains this URL, suggesting the primary purpose is to redirect the user to malicious infrastructure. The presence of numerous Shopify-hosted PDF links indicates a link farm strategy to potentially improve search engine ranking for malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=child+apperception+test+manual
    • http://files.hsngenomics.org/uploads/1/3/0/7/130775154/pawito.pdf
    • http://files.thelandscapestore.net/uploads/1/3/2/7/132710795/6ef3a7888ffc396.pdf
    • http://files.mrsnahonsartroom.com/uploads/1/3/0/8/130814605/wedoti-daboperik-bogeratinod.pdf
    • https://cdn.shopify.com/s/files/1/0438/1592/7965/files/4555658185.pdf
    • https://cdn.shopify.com/s/files/1/0435/1731/3178/files/49887398622.pdf
    • https://cdn.shopify.com/s/files/1/0434/0432/9127/files/tennessee_boat_bill_of_sale.pdf
    • https://cdn.shopify.com/s/files/1/0428/4638/8380/files/24490139568.pdf
    • https://cdn.shopify.com/s/files/1/0430/8860/9429/files/63551296777.pdf
    • https://cdn.shopify.com/s/files/1/0428/9272/2339/files/zetenanu.pdf
    • https://cdn.shopify.com/s/files/1/0434/3506/5510/files/lozupokemel.pdf
    • https://cdn.shopify.com/s/files/1/0431/2167/2356/files/bepevusuxulebaxi.pdf
    • https://cdn.shopify.com/s/files/1/0431/8222/7617/files/sebogizomoluwunaj.pdf
    • https://cdn.shopify.com/s/files/1/0433/3699/0885/files/savanasuzuz.pdf
    • https://cdn.shopify.com/s/files/1/0427/9818/6663/files/ragegemujuvajubugesarib.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006aec.bin
24a0c9953e1f4edd04361af810c5526430ee57217cd16c97f6fcb8409a4f82d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AEC 5220 bytes
font_01_sfnt_off00007c76.bin
845bf2a38d6326065e8a2c3fac570cbedbcd162a905f47b9aa09d20946d4f1e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C76 9868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.