Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea22fc7cb0c29b19…

MALICIOUS

PDF

87.1 KB Created: 2020-09-20 04:28:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5dc5326ec0028fdab929ea30e3d00738 SHA-1: 1fba20352fcfcef1c1a004994d93326894c7002e SHA-256: ea22fc7cb0c29b1987975becb027099c4bf89d4df1533f4e87a727face779035
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains a URL that appears to be the target of the lure. The presence of numerous external PDF links, many hosted on Shopify, suggests a link farm designed to improve search engine ranking for malicious content. The primary malicious URL identified is https://ttraff.com/wix?keyword=13th+century+knight.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=13th+century+knight
    • https://cdn.shopify.com/s/files/1/0435/0967/8234/files/pusevexaziletowulanozuk.pdf
    • https://cdn.shopify.com/s/files/1/0433/4691/9579/files/41824505151.pdf
    • https://cdn.shopify.com/s/files/1/0434/9244/2264/files/zudiv.pdf
    • https://94cebeb0-99c2-405c-aa97-ede7a5db4a22.filesusr.com/ugd/3254bf_9170fd091b8a4968b2b116cb65a66397.pdf?index=true
    • https://5f8042e8-e481-4066-a7a1-f26a24f3851b.filesusr.com/ugd/defcb2_eabd5c3c3e0e49079d1ea61401557b42.pdf?index=true
    • https://cf4202cd-cac2-40a1-939d-44d9c880e448.filesusr.com/ugd/debdc1_57da8a868629434ea44d5d6085d769e6.pdf?index=true
    • https://b6601bc3-ec5b-4385-9f06-7845676426f2.filesusr.com/ugd/0a052f_5b67adc57a18432a87ff7a13a629034f.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0465/3986/6270/files/vixemiremutonenosu.pdf
    • https://cdn.shopify.com/s/files/1/0429/2640/7833/files/96877916626.pdf
    • https://cdn.shopify.com/s/files/1/0436/4782/8133/files/86378929695.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010cfb.bin
636035bde1f33667fed16838bbc2a7e13c6528e2fe4c88a24b48d6eedcdf1311		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CFB 4928 bytes
font_01_sfnt_off00011dd1.bin
8e0309e2769a31af06e85f5bb6892b21610458b5921f4663b9230d86b7fd4cac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11DD1 16304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.