Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6b3f018fad64f4d…

MALICIOUS

PDF

40.9 KB Created: 2020-08-17 09:00:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c7a8d6850b753705ea3a51fcc2498532 SHA-1: 55e45cf89bcb501d7e15d771616478a81993624a SHA-256: e6b3f018fad64f4d92bcc8dc7f3cda9f4944295ac8bb3c69aa956295a8457486
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.cc'. The document body, though heavily obfuscated, contains the same URL and a lure for a 'Pacman game for Windows XP', suggesting a social engineering tactic to trick users into clicking the malicious link. The PDF also exhibits characteristics of an SEO link farm, with numerous links to Shopify-hosted PDFs, likely to improve search engine ranking for malicious content. The primary malicious IOC is the redirector URL.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=pacman+game++for+windows+xp
    • http://pegofimol.peaknomads.co.uk/uploads/1/3/1/3/131383837/fadezox.pdf
    • https://cdn.shopify.com/s/files/1/0438/7015/9016/files/47398051145.pdf
    • https://cdn.shopify.com/s/files/1/0432/5697/1432/files/the_immigrant_song_lyrics.pdf
    • https://cdn.shopify.com/s/files/1/0430/1481/5901/files/fererunazunevasuzajede.pdf
    • https://cdn.shopify.com/s/files/1/0436/0064/2211/files/sovavepuwanijuwuremeju.pdf
    • https://cdn.shopify.com/s/files/1/0433/1572/4456/files/adler_s_physiology_of_the_eye.pdf
    • https://cdn.shopify.com/s/files/1/0430/2913/5521/files/jepateselusijujolili.pdf
    • https://cdn.shopify.com/s/files/1/0436/1935/2740/files/fasojuzu.pdf
    • https://cdn.shopify.com/s/files/1/0434/2608/7064/files/japapazo.pdf
    • https://cdn.shopify.com/s/files/1/0448/4136/9761/files/baladi_bread_nutrition_information.pdf
    • https://cdn.shopify.com/s/files/1/0432/3622/9277/files/84822599465.pdf
    • https://cdn.shopify.com/s/files/1/0430/0580/4698/files/61423519219.pdf
    • https://cdn.shopify.com/s/files/1/0431/4133/3147/files/13911513700.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000600e.bin
cbebd7b395f9401727ed1af5aae3aa6189544de86b30109691d139662cdebcd9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x600E 5604 bytes
font_01_sfnt_off00007319.bin
9eb4fbc984c950ef43eae83c45f3faa9cab0c22626a6ed0331f76ddaa3adfbad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7319 10496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.