Malicious PDF — malware analysis report

Static analysis result for SHA-256 be12e5b52ba4757c…

MALICIOUS

PDF

37.9 KB Created: 2020-08-16 21:12:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 70f7ca5a6c6614b7e045239429f5fcbe SHA-1: 6535b3d52e80588a1e51807460fed68c9a795eb5 SHA-256: be12e5b52ba4757c4e9a7eaa3b7db90b5d993a60bfc43a436333b62d80d8c704
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.cc'. The document body, though heavily obfuscated, contains text related to sheet music and the redirector URL. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many of which point to Shopify domains, but one points to 'wirazos.kootsadventure.com' which is also suspicious. The primary attack vector appears to be luring the user to the malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=blowin+in+the+wind+sheet+music+guitar
    • http://wirazos.kootsadventure.com/uploads/1/3/1/6/131636664/4419711.pdf
    • https://cdn.shopify.com/s/files/1/0446/6973/0979/files/northstar_reading_and_writing.pdf
    • https://cdn.shopify.com/s/files/1/0431/3484/5079/files/85386295957.pdf
    • https://cdn.shopify.com/s/files/1/0435/8271/8107/files/gate_valve_dimensions.pdf
    • https://cdn.shopify.com/s/files/1/0428/9868/6119/files/x11_forwarding_request_failed_on_channel_0.pdf
    • https://cdn.shopify.com/s/files/1/0429/8381/7375/files/fha_condo_approval_guidelines_2019.pdf
    • https://cdn.shopify.com/s/files/1/0433/9780/8279/files/rowumuzak.pdf
    • https://cdn.shopify.com/s/files/1/0434/9073/8328/files/80135653156.pdf
    • https://cdn.shopify.com/s/files/1/0431/6341/8784/files/4261437521.pdf
    • https://cdn.shopify.com/s/files/1/0428/8207/2732/files/xerefukovinifibut.pdf
    • https://cdn.shopify.com/s/files/1/0427/5005/0460/files/82807991007.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004669.bin
2214fd00f779a6cd6dfcaf700b1ed4785f1a254bf50cfec05b2f3bb7fe715424		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4669 5376 bytes
font_01_sfnt_off0000588c.bin
6ed9f05b6bab9084d627387b4b798252a2f8c9439a9da2a77548f435c9ab529a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x588C 10532 bytes
font_02_sfnt_off00007ca5.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CA5 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.