Malicious PDF — malware analysis report

Static analysis result for SHA-256 db4f329b70965ea6…

MALICIOUS

PDF

47.8 KB Created: 2020-08-14 23:08:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8e2516b8ce02b9c82045917f2b702945 SHA-1: 098e9322e1b327a8d5c8d102044a6dbe7c0dfb53 SHA-256: db4f329b70965ea6aae8456d02e1f03698e4d3d7cd4d3d7c4e132c44e7310f79
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to benign Shopify URLs, but one critical link redirects to a known malicious domain, ttraff.com. This suggests a phishing or redirection attempt. The document body, though heavily obfuscated, contains the target URL, reinforcing the malicious intent. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=history%20of%20yoruba%20race%20pdf
    • http://files.harwellenterprises.com/uploads/1/3/1/4/131453144/vunamerob-sisudozosare-wukibat-pagimofa.pdf
    • https://cdn.shopify.com/s/files/1/0433/4013/6601/files/batman_beyond_complete_series.pdf
    • https://cdn.shopify.com/s/files/1/0438/0455/7469/files/26686685409.pdf
    • https://cdn.shopify.com/s/files/1/0434/6055/9013/files/92353910274.pdf
    • https://cdn.shopify.com/s/files/1/0447/7108/2391/files/optical_isomerism_iit_jee.pdf
    • https://cdn.shopify.com/s/files/1/0430/9739/1261/files/1074851214.pdf
    • https://cdn.shopify.com/s/files/1/0431/7547/7416/files/31443182592.pdf
    • https://cdn.shopify.com/s/files/1/0447/4231/2085/files/losevumudu.pdf
    • https://cdn.shopify.com/s/files/1/0449/7919/1966/files/zebul.pdf
    • https://cdn.shopify.com/s/files/1/0434/6006/7480/files/5104431589.pdf
    • https://cdn.shopify.com/s/files/1/0437/7539/3944/files/bitbucket_permission_denied_publickey.pdf
    • https://cdn.shopify.com/s/files/1/0431/0512/4516/files/kugaw.pdf
    • https://cdn.shopify.com/s/files/1/0430/7763/2161/files/sofusaretunad.pdf
    • https://cdn.shopify.com/s/files/1/0437/0379/5865/files/butterworth_bandpass_filter.pdf
    • https://cdn.shopify.com/s/files/1/0433/9941/3925/files/36688984310.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007c23.bin
612f931015c9c0454f0ffe211b695fa72f6b118c673721a20f0dcb9f36424341		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C23 5320 bytes
font_01_sfnt_off00008e45.bin
50360b6506947f555233b11ac3867e035f6fb6d56a971eff887e8b812fad9218		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E45 11500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.