Malicious PDF — malware analysis report

Static analysis result for SHA-256 cdd95d6d9ba5b535…

MALICIOUS

PDF

40.1 KB Created: 2020-08-21 18:01:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6177069423aa4e74a208c01236b2bc80 SHA-1: c15e131767580587126ee5999f0d9a3178d5f346 SHA-256: cdd95d6d9ba5b5355b406df913a10ded9551bf04c2a8485877e64e15b6b6ee28
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, many of which point to Shopify domains, but one critical link redirects to a known malicious domain (ttraff.cc). This suggests a link farm or redirector strategy to obscure the final malicious destination. The document body, though heavily obfuscated, also contains the malicious URL, reinforcing the redirection attempt. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=angular+new+formgroup+example
    • http://files.amandabrodiestenlund.com/uploads/1/3/0/8/130874394/silare.pdf
    • https://cdn.shopify.com/s/files/1/0434/0740/9319/files/6118100760.pdf
    • https://cdn.shopify.com/s/files/1/0431/4189/0209/files/anatomia_musculos_del_cuello.pdf
    • https://cdn.shopify.com/s/files/1/0433/4105/4105/files/69093691589.pdf
    • https://cdn.shopify.com/s/files/1/0437/3187/8049/files/folic_acid_in_pregnancy_guidelines.pdf
    • https://cdn.shopify.com/s/files/1/0434/5603/7017/files/filituzivewilat.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kewosa.pdf
    • https://cdn.shopify.com/s/files/1/0431/6810/4610/files/gikipazetozususi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005535.bin
e2aff7236463c80a56695abf9ffa5bdaf738edd2b549bee445970391e818a09b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5535 5192 bytes
font_01_sfnt_off000066e7.bin
5f18df36ff9e5b0aac2f77186997a249ced6d96c1469cb49f3c5fae4552734cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66E7 14384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.