Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3390fc41f08e21d…

MALICIOUS

PDF

50.5 KB Created: 2020-07-25 01:57:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6e628bc26fe0cf835b1de3ee31f7772a SHA-1: 3b5c72c03573b816b5fd765f2720a0b3a06a1fcd SHA-256: c3390fc41f08e21ded2c51b4dce4902b39fd140024e3049185e52fdf7fc8cb82
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=insurance+company+valuation+report'. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, including one to 'https://cdn.shopify.com/s/files/1/0434/7976/1061/files/buvawa.pdf'. The document body, though heavily obfuscated, suggests a lure related to an 'Insurance company valuation report'. The combination of these factors indicates a phishing attempt designed to redirect users to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=insurance+company+valuation+report
    • http://files.wyomingbaroque.org/uploads/1/3/1/4/131437246/3798493.pdf
    • http://files.yogashak.com/uploads/1/3/0/9/130969910/zevuru.pdf
    • http://files.oakwoodbaptistmilan.net/uploads/1/3/1/0/131070379/2275896.pdf
    • http://files.yogashak.com/uploads/1/3/0/9/13
    • https://cdn.shopify.com/s/files/1/0434/7976/1061/files/buvawa.pdf
    • https://cdn.shopify.com/s/files/1/0428/1945/3095/files/nekajedosimifutowilar.pdf
    • https://cdn.shopify.com/s/files/1/0431/5011/4965/files/56308704162.pdf
    • https://cdn.shopify.com/s/files/1/0438/4777/8469/files/1280493251.pdf
    • https://cdn.shopify.com/s/files/1/0433/8266/9461/files/16568818429.pdf
    • https://cdn.shopify.com/s/files/1/0432/2931/5229/files/25453938187.pdf
    • https://cdn.shopify.com/s/files/1/0431/5555/4455/files/kudoxod.pdf
    • https://cdn.shopify.com/s/files/1/0431/4185/7448/files/marebofelasebixabab.pdf
    • https://cdn.shopify.com/s/files/1/0432/4173/4311/files/10989746449.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/44603331863.pdf
    • https://cdn.shopify.com/s/files/1/0431/8180/1629/files/44855298062.pdf
    • https://cdn.shopify.com/s/files/1/0429/3240/4380/files/zusesofanezirepezeforar.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000804a.bin
3707fdebdb7d5af3db60f8f0ca3494538f6f701e142f217331ca6d0f074ca764		 pdf-font-stream PDF embedded font (sfnt) at offset 0x804A 5060 bytes
font_01_sfnt_off00009162.bin
56287e1835e05cda7690af89985c3c8026f2e70188dec4c1ab020e6c96150170		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9162 13968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.