Malicious PDF — malware analysis report

Static analysis result for SHA-256 d83172bdedd05d66…

MALICIOUS

PDF

44.0 KB Created: 2020-08-16 18:17:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8e35786cee849dc4fe5488b86c3b5518 SHA-1: 73dbe6ff0b85f7884630961d73eba4c3568ee52d SHA-256: d83172bdedd05d6639ea8a37c944ead3afafbef55ff42ed57e20b6cad79421dd
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. The document body also contains this URL and numerous other links hosted on 'cdn.shopify.com' and other domains, suggesting a link farm for SEO poisoning or redirection. The heuristics indicate the document lures the user to install a browser extension or perform a clipboard command, common social engineering tactics to facilitate further malicious activity. No scripts were extracted, but the presence of the malicious redirector and the social engineering lures strongly suggest an attempt to lead the user to a malicious site.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=instagram+photos+videos+chrome
    • http://files.travellingpen.com/uploads/1/3/0/8/130813757/boginizana_zazemiz_mugifejubam.pdf
    • http://files.thespeechspacedc.com/uploads/1/3/2/7/132740553/xukodegesut.pdf
    • http://files.naturaltreatmentjointpain.com/uploads/1/3/1/4/131409909/tipedulid.pdf
    • https://cdn.shopify.com/s/files/1/0431/8127/7342/files/45797926316.pdf
    • https://cdn.shopify.com/s/files/1/0432/9888/1704/files/gezaxisesuw.pdf
    • https://cdn.shopify.com/s/files/1/0440/4094/5829/files/labopanovesowun.pdf
    • https://cdn.shopify.com/s/files/1/0434/0934/2621/files/20534641175.pdf
    • https://cdn.shopify.com/s/files/1/0431/0827/0244/files/vonugotu.pdf
    • https://cdn.shopify.com/s/files/1/0434/4047/2229/files/suwimelozexozalolom.pdf
    • https://cdn.shopify.com/s/files/1/0428/6929/3223/files/losikivevelafirun.pdf
    • https://cdn.shopify.com/s/files/1/0438/2933/0077/files/windows_10_change_user_name.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/81274949660.pdf
    • https://cdn.shopify.com/s/files/1/0431/6289/4495/files/wopagesosefofulob.pdf
    • https://cdn.shopify.com/s/files/1/0433/9764/4449/files/7525574498.pdf
    • https://cdn.shopify.com/s/files/1/0431/4379/0760/files/wekinedutevesedex.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000619e.bin
80db16410009479f557f5a62a5a86f472888c2af7a1b5e3fdbb747650db25480		 pdf-font-stream PDF embedded font (sfnt) at offset 0x619E 5240 bytes
font_01_sfnt_off0000733a.bin
6f481b55d96dd274bd2be1d1a53ace9297a6d279b2e3eec7e37540a44d2ad9ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x733A 9904 bytes
font_02_sfnt_off00009511.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9511 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.