Malicious PDF — malware analysis report

Static analysis result for SHA-256 e90e211885ed1e1d…

MALICIOUS

PDF

42.4 KB Created: 2020-08-07 04:57:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3bbf84197577b13a1796c4878bba3fc8 SHA-1: 28dd3e2eb80f4c18ea24f085fd92ca216230bdc0 SHA-256: e90e211885ed1e1dfa4f451649e3460812cb69ad7063e1a198dc741f92216550
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, many hosted on Shopify, designed to appear as legitimate search results. The primary malicious link, https://ttraff.com/pify?keyword=window+air+conditioner+parts+name+pdf, is a redirector likely leading to a malicious payload or phishing page. The document body, though heavily obfuscated, contains the same lure text and the malicious URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=window+air+conditioner+parts+name+pdf
    • http://files.lchsamazink.com/uploads/1/3/1/4/131437601/powiluzidaferot.pdf
    • http://files.experiencebirthandbeyond.com/uploads/1/3/1/6/131637953/8760802.pdf
    • http://files.arfstrom.net/uploads/1/3/0/9/130969262/nowifuvav_dobob_xubole.pdf
    • https://cdn.shopify.com/s/files/1/0434/1297/9869/files/birimudetigima.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/92161478626.pdf
    • https://cdn.shopify.com/s/files/1/0430/8788/8545/files/20027223720.pdf
    • https://cdn.shopify.com/s/files/1/0434/2094/2486/files/gujagurejukemi.pdf
    • https://cdn.shopify.com/s/files/1/0428/2174/6847/files/bafipef.pdf
    • https://cdn.shopify.com/s/files/1/0432/0926/1218/files/lugepalapolutujemap.pdf
    • https://cdn.shopify.com/s/files/1/0437/8991/0165/files/zudujafujulasilutisi.pdf
    • https://cdn.shopify.com/s/files/1/0437/4672/1946/files/fubumokakiriwetaseri.pdf
    • https://cdn.shopify.com/s/files/1/0428/4848/5535/files/12544115809.pdf
    • https://cdn.shopify.com/s/files/1/0431/0751/6565/files/57763791002.pdf
    • https://cdn.shopify.com/s/files/1/0430/7537/1162/files/wawoxeguda.pdf
    • https://cdn.shopify.com/s/files/1/0432/8026/9462/files/lomavi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006850.bin
4c9367411321ef6c0cb18219f339c0f57364ae1dc9d441c28d0f9dd06ec633bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6850 5372 bytes
font_01_sfnt_off00007a9d.bin
0b4939aceed0f0eb24950503f92360478073cba0b298efe9c7ec98485a500c44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A9D 9984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.