Malicious PDF — malware analysis report

Static analysis result for SHA-256 e24fc0feade22d1c…

MALICIOUS

PDF

43.8 KB Created: 2020-09-13 06:33:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e259a5164d5c486ccb98e00f25e0336d SHA-1: 0741c28ee6b825c16d5cc61d729a83622d55ad6d SHA-256: e24fc0feade22d1c5ba590fc806d27edc0ec7e5e1a527ddbc7640d5c2f878573
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/pify?keyword=android+terminal+emulator+mod+apk'. Additionally, a heuristic for a clipboard command execution lure indicates the document instructs the user to copy and paste content into a shell. This suggests the document's primary purpose is to trick the user into executing commands that would likely download and run a second-stage payload from the provided malicious URL.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=android+terminal+emulator+mod+apk
    • http://watesot.cabotkennels.com/uploads/1/3/0/7/130776493/602324.pdf
    • http://files.goquiltandstitch.com/uploads/1/3/0/7/130775309/6176908.pdf
    • https://static.usrfiles.com/ugd/97634b_48011ea11b224c43acac27ae445bf1fc.pdf
    • https://static.usrfiles.com/ugd/165585_f87125c3d04b432e89c39f833eccb933.pdf
    • https://static.usrfiles.com/ugd/0df15e_2e0c185e231b471b97e92fafc3d8268f.pdf
    • https://static.usrfiles.com/ugd/622218_34467526e8cd4851953283ecea37686c.pdf
    • https://cdn.shopify.com/s/files/1/0432/1234/1409/files/49590492713.pdf
    • https://cdn.shopify.com/s/files/1/0432/1830/5179/files/zexuz.pdf
    • https://cdn.shopify.com/s/files/1/0461/6146/1400/files/little_nicky_imdb_parents_guide.pdf
    • https://cdn.shopify.com/s/files/1/0432/0608/2717/files/sazumakerezo.pdf
    • https://cdn.shopify.com/s/files/1/0464/8658/5512/files/63116669697.pdf
    • https://cdn.shopify.com/s/files/1/0432/2947/9072/files/hallelujah_ukulele_tab.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000633f.bin
b90b109c34db9b2d961be312c0c64f13ba4f5af9c83d6ae4556a72cb7f468167		 pdf-font-stream PDF embedded font (sfnt) at offset 0x633F 2880 bytes
font_01_sfnt_off00006d7d.bin
f057039923581d4554fc02ae8d0c2c36c68ff3b67ea57fb263739fb2fdd339e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D7D 4980 bytes
font_02_sfnt_off00007e50.bin
c5b54018865de90ff596966a696a0160f9cbb0e988b68bec27e18de3eda4f189		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E50 10544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.