Malicious PDF — malware analysis report

Static analysis result for SHA-256 d488932bbe885d4a…

MALICIOUS

PDF

50.4 KB Created: 2020-07-24 17:45:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 32655269a522e1edbb46ba68ac190d08 SHA-1: d03b40a8ecd307ccd0f2c46f030a14d407893d52 SHA-256: d488932bbe885d4aed6c591e869adde129fed14c7c1260399f9e99cdaa1dee8b
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204.001 Malicious Link T1566.002 Spearphishing Link T1059.003 Windows Command Shell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF SEO link farm, with numerous links hosted on cdn.shopify.com, suggesting an attempt to manipulate search engine results. The document also contains a lure to execute commands via the clipboard, indicating a potential for further system compromise. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=linux+deploy+android+require+superuser+privileges%2528+root%2529
    • http://files.floridaacademyleague.com/uploads/1/3/1/4/131407705/safukig_gakajo_xinivema_lodibudesolafu.pdf
    • http://files.plateauvalleyanimalhospital.com/uploads/1/3/2/6/132681985/4898453.pdf
    • http://files.coasttocoastroofs.com/uploads/1/3/1/0/131071082/panitigez_ribin_nadijawena_refomerigavu.pdf
    • http://files.pyroptic.com/uploads/1/3/1/4/131483336/373c7271af65.pdf
    • http://files.pyroptic.com/uploads/1/3/1/4/1
    • https://cdn.shopify.com/s/files/1/0429/6949/7753/files/89697142796.pdf
    • https://cdn.shopify.com/s/files/1/0436/1604/3168/files/dejilerilajezovumo.pdf
    • https://cdn.shopify.com/s/files/1/0437/7572/1633/files/gikuzom.pdf
    • https://cdn.shopify.com/s/files/1/0428/4419/2935/files/demuzemivujotezalorovuf.pdf
    • https://cdn.shopify.com/s/files/1/0436/3298/4222/files/72003512082.pdf
    • https://cdn.shopify.com/s/files/1/0431/5539/0630/files/87035702266.pdf
    • https://cdn.shopify.com/s/files/1/0438/6249/1286/files/7151864772.pdf
    • https://cdn.shopify.com/s/files/1/0428/3046/3142/files/69399864924.pdf
    • https://cdn.shopify.com/s/files/1/0438/0976/7584/files/kadafudikodum.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000085db.bin
0664f0671a267442871b187c87914822012782f97bd95f9a55c365752b9f4015		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85DB 5460 bytes
font_01_sfnt_off0000988b.bin
577261722a4cb3bf9e265e52b603f1578638c41416d28cc8aab3a5d8005f5cef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x988B 10344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.