Malicious PDF — malware analysis report

Static analysis result for SHA-256 d69babe41495dfc9…

MALICIOUS

PDF

46.3 KB Created: 2020-09-05 08:47:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4ae9d05373e7f7a2130ae3ffb5f5c5ff SHA-1: d2ff9e82dd0d752176784d314cc35ebe368236ba SHA-256: d69babe41495dfc9fafa9adad61b30d52a18a402051428a9cc314268a3793972
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, directing users to 'https://ttraff.link/wix?keyword=baby+funny+video++free'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, one of which points to 'https://cdn.shopify.com/s/files/1/0439/1682/0635/files/powershell_hello_world.pdf'. The presence of a 'SE_LOLBIN_RUN_COMMAND' heuristic suggests that the document may contain instructions or visible command text that could leverage Windows execution tools like PowerShell, further indicating a malicious intent to redirect users to harmful content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=baby+funny+video++free
    • https://cdn.shopify.com/s/files/1/0439/1682/0635/files/powershell_hello_world.pdf
    • https://cdn.shopify.com/s/files/1/0431/0512/4516/files/284048658.pdf
    • https://cdn.shopify.com/s/files/1/0432/1797/7504/files/pelipenomumijibudijad.pdf
    • https://static.usrfiles.com/ugd/9dda13_ce3a5b7e2d624345818d441469e517aa.pdf
    • https://static.usrfiles.com/ugd/585b1d_6f1ba0b976c349ca99e214c209f16380.pdf
    • https://cdn.shopify.com/s/files/1/0433/5419/4085/files/abhimaan_movie_song_ming.pdf
    • https://cdn.shopify.com/s/files/1/0469/3383/5931/files/lenozujutuvosetubezu.pdf
    • https://static.usrfiles.com/ugd/16879a_1f98c28edde442ceae12dcdf69839760.pdf
    • https://static.usrfiles.com/ugd/b8c837_80b8a4e5090542099a0308f65006ce3b.pdf
    • https://static.usrfiles.com/ugd/173616_20a7772a83c4451c9322b498fac20746.pdf
    • https://static.usrfiles.com/ugd/b463f2_bf69f44159704d4aabd3b2a24a5b815b.pdf
    • https://static.usrfiles.com/ugd/20d83a_4e32c58268254a428999271b5215edf3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000764c.bin
17197f3e5a8f6e05799716b11a7beaa81caa6a20eaf5860f93ea05b9ddc92fd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x764C 5040 bytes
font_01_sfnt_off00008790.bin
3a7750a993faa7b0e4170499db7c0630914fba157318323d6025b6da9d64c226		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8790 10960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.