Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7f404071b762573…

MALICIOUS

PDF

41.1 KB Created: 2020-08-31 04:32:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8179482a8871dd43be2d23c0686f8d68 SHA-1: e3159f3ce7e3a13778eee5598a65607eedc3e214 SHA-256: c7f404071b7625733042690c279e4f90163e954cb259a1f6293ebf145c34867f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=miller+xmt+304+cc%252F+cv'. This indicates the document's primary purpose is to redirect users to malicious infrastructure. While other URLs are present, they are predominantly benign Shopify links, suggesting a tactic of using legitimate-looking links to mask the malicious one. No scripts were extracted, and the document body is heavily obfuscated, making it difficult to determine the exact lure beyond the malicious redirect.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=miller+xmt+304+cc%252F+cv
    • https://cdn.shopify.com/s/files/1/0432/6640/8603/files/bhagavad_gita_made_easy_english.pdf
    • https://cdn.shopify.com/s/files/1/0434/3506/5505/files/kusekidodazeradopedofub.pdf
    • https://cdn.shopify.com/s/files/1/0433/4875/4600/files/multiplying_scientific_notation_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0434/1402/8450/files/79526509436.pdf
    • https://cdn.shopify.com/s/files/1/0440/0319/7078/files/what_is_the_meaning_of_inception_report.pdf
    • https://cdn.shopify.com/s/files/1/0430/6688/4250/files/one_piece_bounty_rush_beta_apk.pdf
    • https://cdn.shopify.com/s/files/1/0429/8866/7039/files/vomux.pdf
    • https://static.usrfiles.com/ugd/d1d005_3e4efe7dda3b4c918d1b2a3b126d9f4e.pdf
    • https://static.usrfiles.com/ugd/b8c837_3eac225cf6a944daa0d7b574701ecceb.pdf
    • https://static.usrfiles.com/ugd/d1c05f_fc78ed9636574809b91f60c6fdff1e18.pdf
    • https://static.usrfiles.com/ugd/09273f_b02e97994c3f4915aef09abe03c99fcd.pdf
    • https://static.usrfiles.com/ugd/a2ebd8_e4eec77932bd465686c4dec70a8a182d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005557.bin
083dd8fbf405a573fc1621bf004b0c99ef3347b57675fb563cf9c28ff60be9f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5557 4692 bytes
font_01_sfnt_off00006564.bin
3cf5710937732dc4b42ad189df6e66d3530ec4552ddb56637a60b0bd4db7a68f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6564 10600 bytes
font_02_sfnt_off000089a3.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89A3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.