Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb0c2e17038efdaf…

MALICIOUS

PDF

44.0 KB Created: 2020-08-31 12:09:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 854e396336df4e4c0c25f3891299c715 SHA-1: 95568bb9485882624b0157b61d9d9b4de3a0344b SHA-256: bb0c2e17038efdaf6b66e84e887da92162043720a5f7663eb2d327a7fe4f053b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm and a direct link to a known malicious redirector, ttraff.cc. The document body, though heavily obfuscated, contains text related to 'strategic partnership framework' and the malicious URL, suggesting a lure. The presence of numerous links to Shopify-hosted PDFs indicates an attempt to blend in with legitimate content while directing users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=strategic+partnership+framework+temp
    • https://cdn.shopify.com/s/files/1/0429/3738/5123/files/85982588025.pdf
    • https://cdn.shopify.com/s/files/1/0435/4536/2581/files/abu_dhabi_commercial_bank_annual_report_2020.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vevisip.pdf
    • https://cdn.shopify.com/s/files/1/0429/6015/8873/files/66690616175.pdf
    • https://cdn.shopify.com/s/files/1/0429/1792/0934/files/nemogusukaji.pdf
    • https://static.usrfiles.com/ugd/191a6d_ecb756717b0d4156a90af4d6290b4be7.pdf
    • https://cdn.shopify.com/s/files/1/0432/1722/3840/files/guvaji.pdf
    • https://cdn.shopify.com/s/files/1/0432/6755/5481/files/luxomivumofoni.pdf
    • https://cdn.shopify.com/s/files/1/0433/9829/9813/files/73863807065.pdf
    • https://cdn.shopify.com/s/files/1/0432/6873/5140/files/witajuvarazoso.pdf
    • https://cdn.shopify.com/s/files/1/0430/7035/7653/files/super_baby_food_download.pdf
    • https://cdn.shopify.com/s/files/1/0428/5808/6559/files/bukowifedaginu.pdf
    • https://cdn.shopify.com/s/files/1/0431/3199/4280/files/jofagobuneluraw.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0433/9829/9813/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d74.bin
12326fd420c6b72056eeeb18ac0f055f980e7c90eb95e1ebbca673b676d27a24		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D74 5656 bytes
font_01_sfnt_off00008094.bin
a418ad35e31f2627dda8751f888f79ce6fe17d2a156902a4045a2be6686b70e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8094 10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.