Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0ca7f72389b2b27…

MALICIOUS

PDF

73.5 KB Created: 2020-08-15 06:50:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ac1ad6529615580fa0a919af065bc614 SHA-1: 6b950921bcbc41dc4e321c2fe90705240934409e SHA-256: e0ca7f72389b2b27701b53dee2f01a6b6894b6611f02bf1b5f7b355d96f5de7d
148 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.001 Malicious Link

The PDF contains embedded JavaScript and links to known malicious redirector infrastructure. The document body text, though heavily obfuscated, contains a URL that appears to be part of a callback phishing scheme, directing users to 'ttraff.cc' with a keyword related to Java exceptions. This, combined with the 'SE_CALLBACK_LURE' heuristic, strongly suggests a phishing attempt designed to elicit a phone call for fraudulent purposes. The PDF also hosts a large number of external links, many pointing to Shopify domains, which is characteristic of SEO link farm techniques used to distribute malicious content.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=different+types+of+exception+in+java+pdf
    • http://korex.dalyconstruction.co.nz/uploads/1/3/0/7/130739593/savumur.pdf
    • http://files.pimaboutique.com/uploads/1/3/1/6/131637271/disuvufobazifaruwo.pdf
    • http://files.myvanessaonline.com/uploads/1/3/1/6/131637553/badazid.pdf
    • http://files.tylersistersboutique.com/uploads/1/3/2/6/132682640/didugajatamu.pdf
    • http://files.personalbaggagestyle.com/uploads/1/3/1/3/131379343/bawufedu_zokobowu_nefurepubaw.pdf
    • https://cdn.shopify.com/s/files/1/0430/8625/0137/files/68246747142.pdf
    • https://cdn.shopify.com/s/files/1/0434/3591/7464/files/xamenef.pdf
    • https://cdn.shopify.com/s/files/1/0434/5259/6374/files/diagnostic_test_for_tuberculosis.pdf
    • https://cdn.shopify.com/s/files/1/0438/8667/4088/files/73602307466.pdf
    • https://cdn.shopify.com/s/files/1/0429/8375/1831/files/gibagovuferopesexiduboref.pdf
    • https://cdn.shopify.com/s/files/1/0448/5398/5442/files/polaroid_snap_camera_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/6567/9776/files/fuzimesukidone.pdf
    • https://cdn.shopify.com/s/files/1/0432/6231/2611/files/79056130780.pdf
    • https://cdn.shopify.com/s/files/1/0430/2202/4867/files/36816332550.pdf
    • https://cdn.shopify.com/s/files/1/0428/5428/5479/files/pifuwonokovebojaxujikot.pdf
    • https://cdn.shopify.com/s/files/1/0433/3377/9611/files/26609312745.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d3f1.bin
693db17ecad402ee066c4867c69ccddb5443b779c3773f77cbddc3756d86b1d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD3F1 5208 bytes
font_01_sfnt_off0000e5c9.bin
5cff094f2247d02e5b589e09a402908424ace29c6fb4e6be23deb234922bf683		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5C9 10848 bytes
font_02_sfnt_off00010a93.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A93 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.