Malicious PDF — malware analysis report

Static analysis result for SHA-256 d86b7b7e422542f3…

MALICIOUS

PDF

44.7 KB Created: 2020-08-30 17:11:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6acb3795902d2032cbc1a2dacc9f66ac SHA-1: 61a504e437dbe102ba6fca4aadb6908c174baa30 SHA-256: d86b7b7e422542f34ee7958e299e7bb7f6ad93ac9493ae9fb8a07c4c6293bac9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.com'. The document body, though heavily obfuscated, appears to contain the same URL. The presence of numerous other Shopify links suggests a link farm or SEO poisoning attempt to mask the malicious redirect. No scripts were extracted, and the PDF structure itself does not indicate specific exploit techniques beyond the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=path+of+empowerment+barbara+marciniak
    • https://cdn.shopify.com/s/files/1/0434/4843/4840/files/vuvegativarulel.pdf
    • https://cdn.shopify.com/s/files/1/0433/6055/1062/files/3054611423.pdf
    • https://cdn.shopify.com/s/files/1/0432/8236/6629/files/instrumentation_control_data_acquisition_and_processing_with_matlab.pdf
    • https://cdn.shopify.com/s/files/1/0438/4178/1920/files/96528440389.pdf
    • https://cdn.shopify.com/s/files/1/0431/1869/0458/files/gavud.pdf
    • https://cdn.shopify.com/s/files/1/0462/2211/4970/files/convex_lens_form_virtual_image.pdf
    • https://cdn.shopify.com/s/files/1/0440/6909/3541/files/selubalamaxajal.pdf
    • https://cdn.shopify.com/s/files/1/0427/9776/0668/files/pogojulujagek.pdf
    • https://cdn.shopify.com/s/files/1/0429/2929/1427/files/wordly_wise_3000_book_5_lesson_13.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lebalod.pdf
    • https://cdn.shopify.com/s/files/1/0428/8849/5270/files/aedes_aegypti_life_cycle.pdf
    • https://static.usrfiles.com/ugd/fe83c3_3e95821aee8b4e95a95204073305eec0.pdf
    • https://static.usrfiles.com/ugd/516574_7ff75560a3864c6ea24578c128303df4.pdf
    • https://static.usrfiles.com/ugd/b8c837_c2385d517cd24c5f8a47f9ca32f2eb64.pdf
    • https://static.usrfiles.com/ugd/cbe7f7_915ca144cbd44ab6bd693284ec528b9e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006770.bin
bb24ae81378729a08f92a7a6596d002746b35f6a124a335784fc1acb57b7b77e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6770 5344 bytes
font_01_sfnt_off00007987.bin
5ae1d259d034084be61ec780dd0ff4f7394a348651cf58c8458f9478dd568280		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7987 1852 bytes
font_02_sfnt_off00008277.bin
2f0eb652e25363b81966a6a9400e084eacdea3b520cdc2f12ca05adbf7606009		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8277 10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.