Malicious PDF — malware analysis report

Static analysis result for SHA-256 e2fde12cce163c00…

MALICIOUS

PDF

42.7 KB Created: 2020-08-18 18:00:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 75b8f0a3d0dee2bc59d9c84aefbc46de SHA-1: 549209d7e22f6ff124543d0a4cbb862fe24ebb8d SHA-256: e2fde12cce163c00ff3f12ae9ce78b43cac37888ad6203366dc0b25e6e5cbfda
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm with 13 external PDF links, many of which point to Shopify domains. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.com/pify?keyword=bullfrog+spa+model+451+owners+manual'. This suggests the document is designed to lure users to malicious infrastructure. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=bullfrog+spa+model+451+owners+manual
    • http://files.courtneyfordart.com/uploads/1/3/0/7/130739996/funuriwowus.pdf
    • http://besew.olivialevez.com/uploads/1/3/0/8/130813042/2808aed46da95.pdf
    • http://files.mrbsfinest.com/uploads/1/3/2/3/132303080/wozesepivijiwox.pdf
    • http://files.jjwhitememorial.org/uploads/1/3/1/8/131871970/863fcf.pdf
    • https://cdn.shopify.com/s/files/1/0428/6880/1702/files/insanity_workout_exercise_list.pdf
    • https://cdn.shopify.com/s/files/1/0448/4517/0850/files/9_cadrans_de_l_abdomen.pdf
    • https://cdn.shopify.com/s/files/1/0431/6705/6029/files/status_i_plural_bestmd_form.pdf
    • https://cdn.shopify.com/s/files/1/0432/7132/3804/files/22084334857.pdf
    • https://cdn.shopify.com/s/files/1/0436/1325/7885/files/fewazumalipakomobegako.pdf
    • https://cdn.shopify.com/s/files/1/0428/2191/0694/files/learn_command_line_linux.pdf
    • https://cdn.shopify.com/s/files/1/0435/2091/7668/files/13632829665.pdf
    • https://cdn.shopify.com/s/files/1/0433/9122/1911/files/cezar_bitencourt_tratado_de_direito_penal.pdf
    • https://cdn.shopify.com/s/files/1/0438/7792/5019/files/64526568749.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065ea.bin
daaf8bed1e1e2ea6227cfa49204924f0bee87c6a7fcb194c5a1c427a76f117c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65EA 5764 bytes
font_01_sfnt_off00007999.bin
736e14b57dda1df4774593fd664a6fc1d4c129b3115cc92962b76c0e7b61f94b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7999 10696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.