Malicious PDF — malware analysis report

Static analysis result for SHA-256 b81e1f93aa5f7949…

MALICIOUS

PDF

57.9 KB Created: 2020-08-14 07:18:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7d3c87ec33f87171c4f9a8661b526e9c SHA-1: 42a3a40a9baecf38ff002efe50dd21b8f2347494 SHA-256: b81e1f93aa5f794911551f7e0d13c9cf2cd8f540b6512ad15068a2c840b92107
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/pify?keyword=birthday+cake+emoji'. Additionally, it exhibits a PDF link farm, with numerous links pointing to shopify.com domains, suggesting an attempt to manipulate search engine results or distribute content. The document body, though partially corrupted, contains the same redirector URL, reinforcing the malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=birthday+cake+emoji
    • http://files.thecapecodgeek.com/uploads/1/3/2/8/132814935/fd4f9f.pdf
    • http://files.jackienorman.com/uploads/1/3/1/8/131860787/xewaguxevaxo_xarak.pdf
    • http://files.missjordansimpson.com/uploads/1/3/0/8/130873942/7538056.pdf
    • http://files.jayenn.com/uploads/1/3/0/7/130738914/nezamelumesoli-natogemam-diwoza-zupaxogefop.pdf
    • http://files.tomikaye.net/uploads/1/3/1/4/131407227/totera-ximediso-lofaxa-dininexabi.pdf
    • https://cdn.shopify.com/s/files/1/0440/3838/9925/files/gear_backlash_standard.pdf
    • https://cdn.shopify.com/s/files/1/0433/9898/7926/files/simple_biodata_format_for_marriage.pdf
    • https://cdn.shopify.com/s/files/1/0433/4521/5656/files/random_url_generator.pdf
    • https://cdn.shopify.com/s/files/1/0429/7208/6423/files/tetebujegudazesux.pdf
    • https://cdn.shopify.com/s/files/1/0435/2029/5064/files/psychology_carole_wade.pdf
    • https://cdn.shopify.com/s/files/1/0447/8432/0661/files/my_first_1000_action_words.pdf
    • https://cdn.shopify.com/s/files/1/0432/6883/3436/files/klasifikasi_tumor_mediastinum.pdf
    • https://cdn.shopify.com/s/files/1/0453/9475/5752/files/millennials_consumer_behavior.pdf
    • https://cdn.shopify.com/s/files/1/0433/6146/8571/files/19842948528.pdf
    • https://cdn.shopify.com/s/files/1/0437/6562/9077/files/88749130448.pdf
    • https://cdn.shopify.com/s/files/1/0440/2734/7109/files/82083464338.pdf
    • https://cdn.shopify.com/s/files/1/0432/7571/4715/files/a_tutorial_on_approximate_bayesian_computation.pdf
    • https://cdn.shopify.com/s/files/1/0429/3863/0300/files/autocad_certificate.pdf
    • https://cdn.shopify.com/s/files/1/0435/0800/7072/files/78875007207.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f5e.bin
a8a61ffb788be7029ff91380a0e62b2984605ca774e2e5a2a300de3ed66fd960		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F5E 3208 bytes
font_01_sfnt_off00006ad2.bin
6e9171fae9bfd86f82969529ec1b4d842879edcd6b9c1984dcb9aff1144b4fca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AD2 5260 bytes
font_02_sfnt_off00007c94.bin
109c7e0a364a260882e36c226e80609b609874e3604ad83d0294dfd3167426d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C94 8948 bytes
font_03_sfnt_off000099a6.bin
36164ad2a2dd58f6b8b4125e5db8576d93f3796069166286cf94d35c6eb37456		 pdf-font-stream PDF embedded font (sfnt) at offset 0x99A6 11652 bytes
font_04_sfnt_off0000c0c6.bin
1de9cb1b8f27af42f6048ca3a10a903fafb720c42867959280838d1e4a29c735		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC0C6 16728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.