Malicious PDF — malware analysis report

Static analysis result for SHA-256 d16f99cd4e3a17c1…

MALICIOUS

PDF

48.4 KB Created: 2020-08-30 09:03:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 89e0a4c5db7085dc057e9a432309a49e SHA-1: e6a117b95b45e8d85d5119c631e7e0a5de7384da SHA-256: d16f99cd4e3a17c1b681fe14c36a8d0a01ad0c3fcf2990ff7c1dc864bc0b1dd2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, identified as a link farm. One of the primary links, 'https://ttraff.ru/wix?keyword=catch+combo+pokemon+lets+go', is flagged as a malicious redirector. The document body, though heavily obfuscated, appears to contain references to this URL and other Shopify-hosted PDF files, suggesting a lure to a malicious site. The presence of multiple embedded PDFs and a redirector link indicates a likely attempt to lead users to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=catch+combo+pokemon+lets+go
    • https://cdn.shopify.com/s/files/1/0431/8828/9694/files/90013365654.pdf
    • https://cdn.shopify.com/s/files/1/0433/4914/7816/files/fabokozatobitekazi.pdf
    • https://cdn.shopify.com/s/files/1/0431/4149/6981/files/kovoromizixito.pdf
    • https://cdn.shopify.com/s/files/1/0435/9333/4947/files/fadevukoga.pdf
    • https://cdn.shopify.com/s/files/1/0431/7370/7925/files/wuvopifisodujidigovapaba.pdf
    • https://static.usrfiles.com/ugd/b8c837_0ee62c131f8448449de202204ebdcb1c.pdf
    • https://static.usrfiles.com/ugd/3f4b99_5a46f08e8003424da8ecdccf11b738c4.pdf
    • https://static.usrfiles.com/ugd/b8c837_a538c46f3e7540e2b482ad1377d0217a.pdf
    • https://static.usrfiles.com/ugd/defcb2_a75d7660147a4f6789b0f3bbf9274c46.pdf
    • https://static.usrfiles.com/ugd/576447_ec4b549550b540fe86ccb387e7c7a254.pdf
    • https://static.usrfiles.com/ugd/2ac701_c34dd5a0b10e4e7982cd44bc61d577e9.pdf
    • https://static.usrfiles.com/ugd/b8c837_94e3a8296603478e8006a35a8b66b84b.pdf
    • https://static.usrfiles.com/ugd/b8c837_7d9c1b7c5fdc412f8793aac7ea0c75cd.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063a9.bin
c09453735c41944bcbbc4c76bdeaa4f56840bf018c015031596a6bc59c43d6c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63A9 4244 bytes
font_01_sfnt_off0000728c.bin
48d78d1d54ec93c3a56ce00668d282a5881e63df9924b674d390efaf131efca9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x728C 5216 bytes
font_02_sfnt_off00008425.bin
5ebd53944354d3b54c704405b0be40fdd8ec89f789e815d0a1c6638e8b94b8a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8425 9964 bytes
font_03_sfnt_off0000a649.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA649 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.