Malicious PDF — malware analysis report

Static analysis result for SHA-256 d5638dfb82a36021…

MALICIOUS

PDF

43.6 KB Created: 2020-08-19 07:28:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3e2ec31c2389822bb64bbc3835a58caa SHA-1: 424901a9b01051d9cd3bdea0c08994a3ead811a0 SHA-256: d5638dfb82a36021010d944e24802cfac08d3dedcc731d8a1e134e196a2b58c9
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, some of which are hosted on Shopify. The presence of a 'LOLBin run command' heuristic suggests that the document may contain instructions or embedded commands intended to be executed, likely to facilitate the redirection or further payload delivery. The document body, though heavily obfuscated, contains the malicious URL and references to other PDF files, reinforcing the link farm and redirection attack pattern.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=babies+comedy+videos+free
    • http://files.yorkstone.ca/uploads/1/3/2/7/132710632/fb6789a1f8.pdf
    • http://files.sunnyhillpreschoolinc.com/uploads/1/3/1/4/131453251/2e4567d.pdf
    • http://zegadejot.nathannasbymusic.com/uploads/1/3/0/9/130969408/30359062b.pdf
    • http://files.astartestudio.com/uploads/1/3/0/8/130814402/xatesiba.pdf
    • http://giwumap.nationalparkswithkids.com/uploads/1/3/2/3/132302780/nomojamipab.pdf
    • https://cdn.shopify.com/s/files/1/0429/3269/9302/files/yearning_for_lightness.pdf
    • https://cdn.shopify.com/s/files/1/0437/5661/7877/files/60584677892.pdf
    • https://cdn.shopify.com/s/files/1/0435/8370/1151/files/curl_post_json.pdf
    • https://cdn.shopify.com/s/files/1/0435/7623/0046/files/bukevemabotodagugitafiru.pdf
    • https://cdn.shopify.com/s/files/1/0434/1900/9189/files/bangalore_bye_laws_2020.pdf
    • https://cdn.shopify.com/s/files/1/0427/8072/1311/files/tefiwanosivunajurajeket.pdf
    • https://cdn.shopify.com/s/files/1/0435/2717/6344/files/cg_movie_mayaru_ganga_free.pdf
    • https://cdn.shopify.com/s/files/1/0438/2906/7933/files/lujilozomovemawumu.pdf
    • https://cdn.shopify.com/s/files/1/0431/8845/3533/files/ballantine_books_submission_guidelines.pdf
    • https://cdn.shopify.com/s/files/1/0430/5957/6986/files/information_security_interview_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0430/8385/8080/files/mike_tyson_s_punch-_out_characters.pdf
    • https://cdn.shopify.com/s/files/1/0430/7868/0727/files/liza_dalby_geisha.pdf
    • https://cdn.shopify.com/s/files/1/0428/5153/2963/files/dogezafefaverapubit.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006bf0.bin
8292b6cee8ddd321a767c191932ff3abefde151e49aca92ecce2c5540943f15d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BF0 5488 bytes
font_01_sfnt_off00007e85.bin
43094c625543c58fc0618ed0e3e6118a496b2abeed116b1f07cdb6429e38af6f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E85 10308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.