Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4b999fa080ac497…

MALICIOUS

PDF

39.3 KB Created: 2020-08-11 13:45:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f998b2958bf3c0d2ba997c96ced83f9 SHA-1: 56fd9af299db8af0d502b647c78e0307a7c01cee SHA-256: c4b999fa080ac497327a499a98891fea2507172d9060d9cf843f43f4e65b7cef
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a large number of embedded links, many pointing to Shopify domains, but also includes a critical link to a known malicious redirector at 'https://ttraff.com/pify?keyword=simple+python+tutorial+pdf'. This suggests the document is designed to lead users to malicious infrastructure under the guise of providing a Python tutorial. No scripts were extracted, limiting the analysis of direct execution capabilities.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=simple+python+tutorial+pdf
    • http://files.toledominis.org/uploads/1/3/1/0/131070723/makipuwofamekoruwix.pdf
    • http://files.sarahann-photography.com/uploads/1/3/1/6/131607712/8fbc1f.pdf
    • http://files.smallorch.com/uploads/1/3/1/4/131406412/1186831.pdf
    • http://files.longlivethedogs.com/uploads/1/3/0/7/130775195/1029009.pdf
    • https://cdn.shopify.com/s/files/1/0437/4259/3189/files/banking_regulation_act_1949_latest.pdf
    • https://cdn.shopify.com/s/files/1/0434/5010/6018/files/49140839385.pdf
    • https://cdn.shopify.com/s/files/1/0437/9390/7869/files/oral_health_risk_assessment_tool.pdf
    • https://cdn.shopify.com/s/files/1/0430/0311/7719/files/lujizuteromekezolafug.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/baludugosutagaxoreforodul.pdf
    • https://cdn.shopify.com/s/files/1/0432/2990/5058/files/gloomhaven_forgotten_circles_rulebook.pdf
    • https://cdn.shopify.com/s/files/1/0430/3175/6957/files/nine_abdominopelvic_regions_and_organs.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/58933331969.pdf
    • https://cdn.shopify.com/s/files/1/0433/1231/6584/files/banivemewu.pdf
    • https://cdn.shopify.com/s/files/1/0430/0898/3203/files/sisusagiminifel.pdf
    • https://cdn.shopify.com/s/files/1/0437/7473/8586/files/93001830149.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005be4.bin
ff3251266f055c20076bfd100aef87bfddbcbe236d2ba28707e922c457a856b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BE4 5308 bytes
font_01_sfnt_off00006dcd.bin
f061c2d57b03760bebdc2809ad3c4b7a9dc1fe10e511c5d05f331d6bfa7be60a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DCD 10248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.