Malicious PDF — malware analysis report

Static analysis result for SHA-256 d59784760079ae31…

MALICIOUS

PDF

41.1 KB Created: 2020-09-07 03:30:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4d2002601b61f933833d35a6cb5308e4 SHA-1: 9514aaf6312682a98ad9024ded6c38bc2b75ce74 SHA-256: d59784760079ae31e59f0345b4f98a84c19000d3a1cb0484c6ee76f8837148db
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to a known malicious URL. Additionally, PDF_SEO_LINK_FARM suggests a large number of outbound links, many hosted on cdn.shopify.com, which is unusual for a legitimate report. The embedded URL https://ttraff.me/pify?keyword=fixed+income+research+report+sample is the primary indicator of malicious intent, likely serving as a lure for phishing or malware delivery. The document body contains garbled text but includes the same lure text and URLs found in the heuristics.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=fixed+income+research+report+sample
    • https://cdn.shopify.com/s/files/1/0432/1463/5165/files/ladupibojegapeleneditofe.pdf
    • https://cdn.shopify.com/s/files/1/0452/6794/3586/files/bob_et_bobette_telecharger.pdf
    • https://cdn.shopify.com/s/files/1/0428/0100/4707/files/52481898709.pdf
    • https://cdn.shopify.com/s/files/1/0429/9446/6969/files/ebook_cerita_anak.pdf
    • https://cdn.shopify.com/s/files/1/0440/7446/7478/files/dunosedumadifajuxow.pdf
    • https://cdn.shopify.com/s/files/1/0431/9218/9089/files/algorithms_unlocked_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0428/8829/8659/files/salvar_nfe_acbr.pdf
    • https://cdn.shopify.com/s/files/1/0430/6888/3098/files/kinigelisusu.pdf
    • https://cdn.shopify.com/s/files/1/0432/3406/6600/files/osrs_commander_zilyana_guide.pdf
    • https://cdn.shopify.com/s/files/1/0437/7991/5934/files/29945614649.pdf
    • https://static.usrfiles.com/ugd/299074_a8a60be9c5b74a5a99f6e88769489584.pdf
    • https://static.usrfiles.com/ugd/b8c837_2f6107fba7ee425ba769464669ef6d58.pdf
    • https://cdn.shopify.com/s/files/1/0436/3704/7449/files/the_bronze_horseman.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/norojakibi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006211.bin
01ce8796690d05876756c402687c3348f4128687688b4b54d581603af36a9a05		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6211 5336 bytes
font_01_sfnt_off00007412.bin
6f2bff7df77495f0a480e5dd6b45ff42cb00053d4c062e42573aa590fa4950a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7412 10320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.