Malicious PDF — malware analysis report

Static analysis result for SHA-256 beb5e205033add69…

MALICIOUS

PDF

39.4 KB Created: 2020-08-18 20:53:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 46032d5a1ea3901625d18873bd3ebe6e SHA-1: c01ea623b7cb36347d20db64ae1cfcd15a947b6a SHA-256: beb5e205033add69737ecc8e5a44f5050015d8757516594c14aa62d828fdeb22
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector. The document body, though partially corrupted, contains a URL that appears to be part of a link farm designed to attract search engine traffic. The primary malicious URL identified is https://ttraff.cc/pify?keyword=nutritional+information+chili+southwestern+egg+rolls, which likely leads to further malicious content. The presence of multiple PDF links, many pointing to Shopify, suggests an attempt to disguise malicious activity within a seemingly legitimate context.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=nutritional+information+chili+southwestern+egg+rolls
    • http://vogatinop.brendapenningtonart.com/uploads/1/3/2/3/132302872/3756341.pdf
    • http://fajelulox.jabberboxing.com/uploads/1/3/1/4/131453133/2312112.pdf
    • https://cdn.shopify.com/s/files/1/0440/8272/5029/files/1st_world_war_causes.pdf
    • https://cdn.shopify.com/s/files/1/0452/6528/9378/files/75097455744.pdf
    • https://cdn.shopify.com/s/files/1/0429/2267/2284/files/92457268084.pdf
    • https://cdn.shopify.com/s/files/1/0430/0177/4233/files/69407126508.pdf
    • https://cdn.shopify.com/s/files/1/0437/6782/4533/files/puzovigurirasiwerozesuri.pdf
    • https://cdn.shopify.com/s/files/1/0429/1647/9132/files/81033383847.pdf
    • https://cdn.shopify.com/s/files/1/0434/9450/6661/files/upsc_blank_answer_sheet_format_vision.pdf
    • https://cdn.shopify.com/s/files/1/0430/7946/7162/files/fawidamodexaxowulikivukum.pdf
    • https://cdn.shopify.com/s/files/1/0433/9394/1671/files/65238413804.pdf
    • https://cdn.shopify.com/s/files/1/0437/1195/5098/files/gaspard_de_la_nuit_piano.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a37.bin
df13b9a4999a877f234653b4cdef685f7ca35fbe12d62cd2c698a85d9d7a5df7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A37 5356 bytes
font_01_sfnt_off00006c53.bin
cdc232b159c5d39c962e6cf99467f57ea234e0bfeab914423839cfc427553e1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C53 9964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.