Malicious PDF — malware analysis report

Static analysis result for SHA-256 dec8f4096d86b2c0…

MALICIOUS

PDF

97.7 KB Created: 2020-08-21 00:19:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7dfb00567d87a6309e18a9de15e5f889 SHA-1: f40102a850d5258d7aa8cedaa98f9f59965721a3 SHA-256: dec8f4096d86b2c0a54a8e098ba201b5be215b67c2fd6980cae8a53c98d20e2d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.cc'. The document body, though heavily obfuscated, contains a URL that appears to be a lure for movie subtitles. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to Shopify domains, likely for SEO manipulation or to host further malicious content. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=yamla+pagla+deewana+3+english+subtitles
    • http://files.laurenknipper.com/uploads/1/3/0/8/130813859/mazodiruxara.pdf
    • https://cdn.shopify.com/s/files/1/0433/0664/7717/files/easy_web_server.pdf
    • https://cdn.shopify.com/s/files/1/0429/8699/5863/files/virginia_state_search_warrant_form.pdf
    • https://cdn.shopify.com/s/files/1/0434/5780/6503/files/mabotumafulanenoda.pdf
    • https://cdn.shopify.com/s/files/1/0432/2911/8627/files/vogaxakotor.pdf
    • https://cdn.shopify.com/s/files/1/0430/5672/6165/files/aste_babuino_catalogo.pdf
    • https://cdn.shopify.com/s/files/1/0430/8143/3242/files/moto_360_manual.pdf
    • https://cdn.shopify.com/s/files/1/0437/0304/2216/files/fojedizuguriw.pdf
    • https://cdn.shopify.com/s/files/1/0432/5523/4710/files/pudajusakerojalosasewi.pdf
    • https://cdn.shopify.com/s/files/1/0432/2977/3982/files/xamumofolunokotoserejeba.pdf
    • https://cdn.shopify.com/s/files/1/0431/1197/3026/files/23129883094.pdf
    • https://cdn.shopify.com/s/files/1/0433/8135/8759/files/bedingungsloses_grundeinkommen_vor_und_nachteile.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_016_off000144b8.bin
b7b034e201fd2807896e4cea2090d28d18bcb2395976daf593a6d1d45b1105ee		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x144B8 18892 bytes
font_00_sfnt_off00006aaf.bin
e679725072c74ab1de830ba6dd25101ec2f6d7be962e72d99a133184e56e62d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AAF 7916 bytes
font_01_sfnt_off00007f0f.bin
97c2b2e40c1385b4481fda1c9b3ae017bab0cd090847a61954886acf943b7a13		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F0F 4032 bytes
font_02_sfnt_off00008d80.bin
07239dfdd794bfc955f1dfd201c8dbae156ac5e7f7ed970792125d61a86208f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D80 5632 bytes
font_03_sfnt_off0000a08c.bin
c206ac4eca120f096112d408dff6b33a2f721090936d80486df636e1cd240fde		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA08C 2656 bytes
font_04_sfnt_off0000ab90.bin
fbdd9df555c8710fa493947bde41d1b30e4b750f457ece442df516a7dd53c510		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB90 4140 bytes
font_05_sfnt_off0000b8ac.bin
4bb619f7e4c8d10c6650d66271e6db770d7def95493d885be3efe54e7c100c22		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB8AC 3048 bytes
font_06_sfnt_off0000c4ba.bin
3702365b3034b9d7945da23b991b5e2ac3f8bb06d1ba3be7e5ba1b5d8dd48c9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC4BA 2328 bytes
font_07_sfnt_off0000cf73.bin
7f3a1ef136f36ba68bc36e5bcd31de243dce7f4b60e01c4bc40f508baeb48ca0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF73 2604 bytes
font_08_sfnt_off0000da4e.bin
cca5298ad2e89ab0d41cc63a8205340d9321530172a8d5dda1c28d17fa56adaa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA4E 3840 bytes
font_09_sfnt_off0000e85b.bin
e66bd646ff29f48b94a898642357a1d5295b77faffa0bd70eb77acb4aebc9a97		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE85B 2108 bytes
font_10_sfnt_off0000f234.bin
87016e8933cc862d1d188edfbee698abcff8178ed3d6b510b61737ee02f60284		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF234 4336 bytes
font_11_sfnt_off0000ffd4.bin
4910d0177da9f60ecc92c13a34fae8c5c38ffafb9e4e22a3c3fd987548b79157		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFD4 6148 bytes
font_12_sfnt_off00010fbf.bin
d5d12d317e6794f4101821e237381414c7afaaec42a2594927ebb1e0824870e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10FBF 17096 bytes
font_14_sfnt_off00016415.bin
1fe4ccd105a2165bdc8813e8ca44fd8ac4690c69a3d9c3432bfadde42be3cbe3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16415 3536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.