Malicious PDF — malware analysis report

Static analysis result for SHA-256 e33f1d66019f15e3…

MALICIOUS

PDF

95.1 KB Created: 2020-07-30 22:11:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5ae044b34e28920baad7cf5c6e886de4 SHA-1: 3aaa1759192b5b315dbdbaca9f1745d27a8ab5a5 SHA-256: e33f1d66019f15e324fe10361432a3d40831b93ff73c1cc24f351c4231c0d4fb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/pify?keyword=agama+jainisme+pdf'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, many of which are hosted on shopify.com. The document body appears to be obfuscated or corrupted, preventing a clear understanding of its content, but the presence of the malicious redirector strongly suggests a phishing or malware delivery attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=agama+jainisme+pdf
    • http://files.newlifebaptisthp.com/uploads/1/3/0/7/130739696/ruwodepotutowo_sodubusiwulito_kipopunudofa_simijofadal.pdf
    • http://files.truenatureboy.com/uploads/1/3/1/4/131483317/1d8b0.pdf
    • http://files.mengshuyou.com/uploads/1/3/0/7/130775354/7464518.pdf
    • https://cdn.shopify.com/s/files/1/0429/2775/1321/files/60213663692.pdf
    • https://cdn.shopify.com/s/files/1/0438/9748/7512/files/40946474923.pdf
    • https://cdn.shopify.com/s/files/1/0431/1659/3312/files/jomotofefapevipexef.pdf
    • https://cdn.shopify.com/s/files/1/0432/7433/8454/files/31250637001.pdf
    • https://cdn.shopify.com/s/files/1/0431/4493/7628/files/begawobonozurumadudez.pdf
    • https://cdn.shopify.com/s/files/1/0429/6186/2810/files/zunopenepovukugedodob.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/58585016777.pdf
    • https://cdn.shopify.com/s/files/1/0437/7218/2685/files/vodakig.pdf
    • https://cdn.shopify.com/s/files/1/0435/2029/5064/files/lipegavonelovinonotil.pdf
    • https://cdn.shopify.com/s/files/1/0432/4546/9858/files/ruforoposatakarivulifis.pdf
    • https://cdn.shopify.com/s/files/1/0428/5644/8156/files/gibevetivikol.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0431/4493/7628/files/begawobonozurumadud

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off00012ad4.bin
19f5e8be9219ee4ea411257b219e1ee12fdd022a3e30bb35285df2bd434fbd18		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x12AD4 2684 bytes
font_00_sfnt_off000100ce.bin
a63dc7203ceba2031beaf1d50b83973ffdd0483474384fa5780efc3deacec6ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100CE 1696 bytes
font_01_sfnt_off000108f8.bin
c15294f1e8e3cd2c491049f9211055139f2fdde51378867c27b677fbff690479		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108F8 4896 bytes
font_02_sfnt_off00011986.bin
f94d5e512708551c4affaecd0de7f633e1b77e5cc1603c50776336eea5dbed4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11986 4960 bytes
font_04_sfnt_off0001369a.bin
7edd8c4c2625b1c0a199bf921d6f038d92ce3df43e7ef5da8aefb4cf6e9223ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1369A 10040 bytes
font_05_sfnt_off00015913.bin
77ec0c6e8bfb3d55228176c729a537a427019c0a5933658c427ff95bfb09a4f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15913 5296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.