Malicious PDF — malware analysis report

Static analysis result for SHA-256 caf75415025a81f0…

MALICIOUS

PDF

38.8 KB Created: 2020-08-19 09:32:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 593d27dd92d7eed24eed1045e147720c SHA-1: 6a63e0abd0bc9b45353f4b06cb43b2b1f40101b6 SHA-256: caf75415025a81f0425dc6adef5aaf1acd8be1a8d64d0efed0c8d0891906b5dd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a lure related to a 'Countdown clock powerpoint template' and embeds a link that redirects to malicious infrastructure via ttraff.com. This indicates a phishing or social engineering attack. The PDF also contains a large number of external links, many hosted on Shopify, which is indicative of a link farm used for SEO poisoning or to obscure the final malicious destination. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=countdown+clock+powerpoint+template
    • http://files.mackbuildltd.com/uploads/1/3/2/3/132303077/9ad5265.pdf
    • https://cdn.shopify.com/s/files/1/0431/5345/7320/files/toyota_hiace_camper.pdf
    • https://cdn.shopify.com/s/files/1/0433/0491/1006/files/94849076626.pdf
    • https://cdn.shopify.com/s/files/1/0430/7959/8229/files/cain_and_abel_novel.pdf
    • https://cdn.shopify.com/s/files/1/0438/2218/6656/files/2014_chevy_spark_repair_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/8907/6117/files/dovim.pdf
    • https://cdn.shopify.com/s/files/1/0435/4048/0164/files/32639790313.pdf
    • https://cdn.shopify.com/s/files/1/0437/0684/3288/files/lovutapejukodem.pdf
    • https://cdn.shopify.com/s/files/1/0434/3581/9164/files/vurusarizalot.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/62894204366.pdf
    • https://cdn.shopify.com/s/files/1/0435/2904/4127/files/45538250047.pdf
    • https://cdn.shopify.com/s/files/1/0430/7537/1162/files/recent_ielts_listening_exam_questions_with_answers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a46.bin
6e6d3d8942e63f6afbf579119a291197e7073022bd73b3e9a0688c83d511df84		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A46 5104 bytes
font_01_sfnt_off00006ba0.bin
0c29d7a9feb5e0a4b3e22c7dad7edf735a07844b5945f054adc3270386d82987		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BA0 10284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.