Malicious PDF — malware analysis report

Static analysis result for SHA-256 c74a223e1326ce2e…

MALICIOUS

PDF

32.9 KB Created: 2020-08-23 06:37:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8cc42cf51d44978325cebf2179bc1da3 SHA-1: 4f29ce672ece1a54de16a1830893296f8764fe93 SHA-256: c74a223e1326ce2e9e2b6076812934c41bb3ab139e8fa98f7319fa92b7f463f9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.com/pify?keyword=internet+explorer+9+android+apk'. This URL is presented within the document body, disguised as a download link for an Android application. The presence of a large number of external PDF links, many hosted on Shopify, suggests a link farm or SEO poisoning tactic to drive traffic to the malicious redirector. The document itself is generated by wkhtmltopdf, a tool often used for creating PDFs from web content, which aligns with the lure of providing a download link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=internet+explorer+9+android+apk
    • http://denupob.davidstraange.com/uploads/1/3/2/7/132740930/3978507.pdf
    • https://cdn.shopify.com/s/files/1/0429/2454/0071/files/94689048033.pdf
    • https://cdn.shopify.com/s/files/1/0431/9612/1251/files/plymouth_driving_test.pdf
    • https://cdn.shopify.com/s/files/1/0437/5091/6247/files/23752480325.pdf
    • https://cdn.shopify.com/s/files/1/0440/3740/6870/files/zideruforixiserigule.pdf
    • https://cdn.shopify.com/s/files/1/0431/0663/1846/files/39354448611.pdf
    • https://cdn.shopify.com/s/files/1/0433/9105/8078/files/30245906358.pdf
    • https://cdn.shopify.com/s/files/1/0435/0931/7787/files/social_media_marketing_advertising.pdf
    • https://cdn.shopify.com/s/files/1/0427/4293/9814/files/pidilukaj.pdf
    • https://cdn.shopify.com/s/files/1/0452/1666/1664/files/compuestos_inorganicos_agua_y_sales_minerales.pdf
    • https://cdn.shopify.com/s/files/1/0433/7192/1571/files/weather_fayetteville_ar.pdf
    • https://cdn.shopify.com/s/files/1/0435/3739/9960/files/kendo_grid_checkbox_template_checked.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000043d3.bin
4969a7212618c190b164a8b2b14b9e5de4a4329b5d9278ff89085659026a22e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43D3 5000 bytes
font_01_sfnt_off000054e1.bin
8f19550d4d7f093a971c213413c8db54693df95cbb108043f578e369a060efd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54E1 10020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.