Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2b2b21396cc366c…

MALICIOUS

PDF

57.9 KB Created: 2020-08-01 14:54:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 443230cb2f231fec88598f60305ed2b6 SHA-1: f183cd6e6769df2e4010a5a167c52fbcbd1dfe1c SHA-256: c2b2b21396cc366c04334b78f03c9b4b641448ea1d0875c042486ffe65e80193
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a link to a known malicious redirector, ttraff.ru, which is designed to lure users into providing credentials. The document body, though heavily obfuscated, contains the text 'Yahoo notepad login', suggesting a credential harvesting pretext. The PDF also hosts a large number of external links, many pointing to Shopify-hosted PDFs, indicating a link farm for SEO manipulation or traffic redirection.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=yahoo+notepad+login
    • http://files.khloekares.com/uploads/1/3/0/9/130969989/97e718e1830f7.pdf
    • http://files.reimaginepossibilities.com/uploads/1/3/1/4/131437157/9193912.pdf
    • http://files.a2arnett.com/uploads/1/3/2/7/132740327/vuraxarum.pdf
    • https://cdn.shopify.com/s/files/1/0429/5370/3590/files/92845375364.pdf
    • https://cdn.shopify.com/s/files/1/0431/1020/3556/files/mamow.pdf
    • https://cdn.shopify.com/s/files/1/0435/2868/3672/files/net_compakt_framework.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/13121593915.pdf
    • https://cdn.shopify.com/s/files/1/0438/0593/3730/files/tutikodazerekixugufop.pdf
    • https://cdn.shopify.com/s/files/1/0428/8839/6959/files/18878258562.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/69262577592.pdf
    • https://cdn.shopify.com/s/files/1/0431/4356/1373/files/62093172245.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/79265304831.pdf
    • https://cdn.shopify.com/s/files/1/0437/6782/4533/files/7653757012.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a5d5.bin
0d8764696d8be1e5ccf81ade8727b82aa26954521c107dd0747b4b89392d4227		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA5D5 4908 bytes
font_01_sfnt_off0000b68c.bin
ccd8794647428558e83d64c7ff78d8914575064b30734f716190113997fe7c90		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB68C 10780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.