Malicious PDF — malware analysis report

Static analysis result for SHA-256 df827dab8ce16878…

MALICIOUS

PDF

47.3 KB Created: 2020-08-21 03:27:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c22c356d667c425478c12d844c69129 SHA-1: 39696786ec3a736878ba3c852dcc1c4cf03a631e SHA-256: df827dab8ce16878e081fe724e63f6cf4b1ae74a0fdbdb0f390fddb4a2cda24d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, specifically `https://ttraff.ru/pify?keyword=irish+fiddle+sheet+music+violin`. This link is presented within the document body, disguised as sheet music, to entice users to click. The PDF also exhibits characteristics of a link farm, with numerous embedded links pointing to external resources, many of which are hosted on `cdn.shopify.com`. The primary malicious link is the highest priority IOC.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=irish+fiddle+sheet+music+violin
    • http://files.northernfitness.net/uploads/1/3/1/4/131437246/9588946.pdf
    • http://files.lastcallromanceband.com/uploads/1/3/1/4/131438658/1811979.pdf
    • http://jowipefe.sladefanclub.com/uploads/1/3/0/9/130969754/bexevul.pdf
    • https://cdn.shopify.com/s/files/1/0433/4449/4760/files/arguably_christopher_hitchens_download.pdf
    • https://cdn.shopify.com/s/files/1/0449/7804/5086/files/17286156483.pdf
    • https://cdn.shopify.com/s/files/1/0440/8927/8616/files/busenik.pdf
    • https://cdn.shopify.com/s/files/1/0434/9722/6402/files/journey_to_ungoro_spoilers.pdf
    • https://cdn.shopify.com/s/files/1/0446/7376/1433/files/cooking_with_herbs_and_spices.pdf
    • https://cdn.shopify.com/s/files/1/0433/9187/7283/files/58493466676.pdf
    • https://cdn.shopify.com/s/files/1/0429/5199/9637/files/jisab.pdf
    • https://cdn.shopify.com/s/files/1/0448/0620/9702/files/zonarajixid.pdf
    • https://cdn.shopify.com/s/files/1/0441/0517/1096/files/blacklist_wiki_episode_guide.pdf
    • https://cdn.shopify.com/s/files/1/0431/7505/1421/files/27165730186.pdf
    • https://cdn.shopify.com/s/files/1/0432/0660/7005/files/87715994033.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006574.bin
56dfb12bab004d5490b5ee704354a70d1c7a5f733bcb61a86417f83f7c30910a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6574 5048 bytes
font_01_sfnt_off00007676.bin
84aaa63ff1e798e82837886e26966e1cd6471ba5be9ea25aac6e47143f25bc6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7676 10724 bytes
font_02_sfnt_off00009af0.bin
73e2bae015806fcbcea00a5e77fef36cf57312733aebee32ba98308b5ce41d75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9AF0 16120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.