Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4afc70ab1045e1d…

MALICIOUS

PDF

62.2 KB Created: 2020-08-16 19:42:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ed48f5aadc879d157a1c14ea36735f3e SHA-1: d0ef56931a1df200e7d3018506d95ddc6a7492b5 SHA-256: c4afc70ab1045e1d37b1ae7f473df1e266eb11fedf7ee02849ab5d55d3f6a30b
170 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.001 Malicious Link

The PDF contains a lure related to payment redirection or bank detail changes, a common tactic in business email compromise attacks. It also features a critical heuristic firing for a malicious redirector link pointing to 'ttraff.ru'. The document body, though partially corrupted, contains the phrase 'Huf pan card affidavit format in word' and the malicious URL, reinforcing the lure. The presence of numerous external PDF links, many hosted on cdn.shopify.com, suggests a link farm used for SEO poisoning or to obscure the final malicious destination.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=huf+pan+card+affidavit+format+in+word
    • http://files.theetherealdream.com/uploads/1/3/1/8/131856757/2483126.pdf
    • http://files.nalinikrishnankutty.com/uploads/1/3/2/7/132740204/bd650f3ea617.pdf
    • http://files.montanahorsesandmules.com/uploads/1/3/2/6/132682171/venolunerasuz.pdf
    • http://files.northbridgehistoricalsociety.com/uploads/1/3/2/6/132683251/fc087e447.pdf
    • http://tapaxada.nicholastoddshumate.com/uploads/1/3/0/8/130874277/54ddfe0b3ab1.pdf
    • https://cdn.shopify.com/s/files/1/0435/2904/4127/files/philips_respironics_bipap_avaps_c_series_manual.pdf
    • https://cdn.shopify.com/s/files/1/0432/2341/6987/files/sozewewezubejurafexel.pdf
    • https://cdn.shopify.com/s/files/1/0437/8286/5058/files/38065481852.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rewosegukedisupagur.pdf
    • https://cdn.shopify.com/s/files/1/0435/3074/8072/files/jugomalepusedaxebisax.pdf
    • https://cdn.shopify.com/s/files/1/0429/8673/3727/files/blood_vessels_structure_and_function.pdf
    • https://cdn.shopify.com/s/files/1/0436/9688/1814/files/makuwog.pdf
    • https://cdn.shopify.com/s/files/1/0430/8631/5682/files/fugewutuwiwugane.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/92283418618.pdf
    • https://cdn.shopify.com/s/files/1/0434/5040/0928/files/nfl_spielplan_2020_18.pdf
    • https://cdn.shopify.com/s/files/1/0435/2491/5359/files/basic_russian.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/fil

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ab86.bin
3b89a1333aa93e194de12c5c5da229a8f3a969ace6b07a90c5323b9ece6747ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB86 2828 bytes
font_01_sfnt_off0000b581.bin
1675619ef9948bf94e312da3fa3dd2b695545ac1de40bd70514d284782810528		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB581 5204 bytes
font_02_sfnt_off0000c731.bin
b1d3abb2732f5c9da7fbc1aa41be5b2375443e7dc07d570862ee605eb2c67562		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC731 10568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.