Malicious PDF — malware analysis report

Static analysis result for SHA-256 e74b3cc77b6efac9…

MALICIOUS

PDF

52.9 KB Created: 2020-08-19 21:51:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9971969daa3133d167d4f1ad684dcdc3 SHA-1: e3f135d8aebde62f49e4cfb5ad99d2ca3b9c7ac9 SHA-256: e74b3cc77b6efac953d5e572453954d83e735dcd74d2ec75ca3e150f0d5d3724
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a lure for 'Cydia full version free ios' and embeds numerous links, including a critical redirector link to ttraff.com. The document body also contains text suggesting the user copy or paste content into a shell, indicating a potential command execution lure. The presence of a malicious redirector and the social engineering pretext point towards a phishing or scam campaign.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=cydia+full+version+free+ios
    • http://files.lavoratodesigns.com/uploads/1/3/0/9/130969176/7220214.pdf
    • http://fifas.johnredekercards.com/uploads/1/3/2/7/132740764/fureboze.pdf
    • http://gonazopir.hamilkerrchallenge.com/uploads/1/3/2/3/132303382/b62ed.pdf
    • http://files.projectharmonyvct.com/uploads/1/3/1/8/131856435/7337389.pdf
    • http://kiwove.classicadventures.co.uk/uploads/1/3/1/0/131070750/tagugukezasovej.pdf
    • https://cdn.shopify.com/s/files/1/0430/7940/1632/files/wisaxizazew.pdf
    • https://cdn.shopify.com/s/files/1/0435/7442/7806/files/54421921345.pdf
    • https://cdn.shopify.com/s/files/1/0438/6524/3803/files/nomekosumovisumabok.pdf
    • https://cdn.shopify.com/s/files/1/0435/7334/6463/files/10_ton_press.pdf
    • https://cdn.shopify.com/s/files/1/0437/8460/1752/files/96060663187.pdf
    • https://cdn.shopify.com/s/files/1/0431/3025/7568/files/4827277057.pdf
    • https://cdn.shopify.com/s/files/1/0434/5928/1048/files/96200718202.pdf
    • https://cdn.shopify.com/s/files/1/0440/0198/4662/files/interlocking_accounting_system.pdf
    • https://cdn.shopify.com/s/files/1/0428/3272/4124/files/15177691443.pdf
    • https://cdn.shopify.com/s/files/1/0437/8768/1954/files/zerajanoveke.pdf
    • https://cdn.shopify.com/s/files/1/0437/7726/1729/files/gapowimigolusezal.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009078.bin
a08bd636057a843174eb789b3e07a2a0448cad1bce5eb30b98f040e17a6c7446		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9078 4968 bytes
font_01_sfnt_off0000a178.bin
b3788d5c4effe761c190a4061cbdb8094e15f68a6251e24eda9a56922f782408		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA178 11492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.