Malicious PDF — malware analysis report

Static analysis result for SHA-256 d24cf7b719b0c79c…

MALICIOUS

PDF

44.1 KB Created: 2020-08-20 13:19:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 88c2d4b72914fb43174bb77c2b9b963e SHA-1: 09cfb19e1685ed3d860b107619ce28afde6ed8e1 SHA-256: d24cf7b719b0c79cbcdae339626b5730b0630d8cbeb7aa9fdfa655f1e397e3ef
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF file contains a lure related to a 'Kaspersky antivirus free activation code' and embeds a link to a known malicious redirector. The PDF also exhibits characteristics of a link farm, with numerous embedded links, many pointing to Shopify domains. The primary malicious URL identified is https://ttraff.cc/pify?keyword=kaspersky+antivirus+free+activation+code, which is likely used to deliver a secondary payload.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=kaspersky+antivirus+free+activation+code
    • http://files.outloudvideo.com/uploads/1/3/0/8/130874213/6946819.pdf
    • https://cdn.shopify.com/s/files/1/0439/9307/1774/files/34919548595.pdf
    • https://cdn.shopify.com/s/files/1/0431/5539/0630/files/jedizogidozijevag.pdf
    • https://cdn.shopify.com/s/files/1/0432/9707/9460/files/barisan_dan_deret_aritmatika_dan_geometri_kelas_11.pdf
    • https://cdn.shopify.com/s/files/1/0437/7729/4485/files/ainslie_macleod_the_instruction.pdf
    • https://cdn.shopify.com/s/files/1/0431/6299/2795/files/11976028951.pdf
    • https://cdn.shopify.com/s/files/1/0434/7589/4422/files/89891946951.pdf
    • https://cdn.shopify.com/s/files/1/0437/4387/1127/files/ferabanozujulif.pdf
    • https://cdn.shopify.com/s/files/1/0434/2376/0536/files/8571458657.pdf
    • https://cdn.shopify.com/s/files/1/0435/8832/1437/files/bedroom_interior_design.pdf
    • https://cdn.shopify.com/s/files/1/0448/7512/0807/files/45632023670.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0431/62

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006656.bin
e0d2975aadeb9a4deca5beb95e481b979dbb8fe5d231e2bd467679e70e6b42e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6656 5312 bytes
font_01_sfnt_off00007886.bin
a932f8a0e95e9fdfafc530ddce4cf9ace3a7cc6dee3003e79ae5e08856f871c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7886 13468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.