Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea7a1026306785ec…

MALICIOUS

PDF

39.6 KB Created: 2020-08-22 14:50:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5b0b42d4ab5862e98b7840e44079000e SHA-1: 39e051ce15c1f2f45d3b44aa014d64cbb851bc04 SHA-256: ea7a1026306785ecb52fb494dd1d656088c8905b5ace9c2bff16dfccbabcd070
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.cc/pify?keyword=aluratek+bluetooth+transmitter+manual', is designed to redirect users to malicious infrastructure. The file also contains a large number of links to PDFs hosted on Shopify, likely part of an SEO link farm to improve search engine ranking for malicious content. No scripts were extracted, but the presence of the redirector and link farm indicates a social engineering attempt to drive traffic to malicious sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=aluratek+bluetooth+transmitter+manual
    • http://files.luckyinleopard.com/uploads/1/3/1/4/131438248/2477672.pdf
    • http://files.cpmsband.com/uploads/1/3/1/4/131454316/sivifoza.pdf
    • https://cdn.shopify.com/s/files/1/0431/1062/9532/files/98922308311.pdf
    • https://cdn.shopify.com/s/files/1/0429/2355/7030/files/zizajozogekokugobagabol.pdf
    • https://cdn.shopify.com/s/files/1/0433/5042/5753/files/sinoguwiroliminasokovad.pdf
    • https://cdn.shopify.com/s/files/1/0458/2866/9603/files/accel_world_ending_1.pdf
    • https://cdn.shopify.com/s/files/1/0436/6735/7846/files/romudatuzoniwofujewimab.pdf
    • https://cdn.shopify.com/s/files/1/0429/1392/3228/files/74090476743.pdf
    • https://cdn.shopify.com/s/files/1/0433/1582/2747/files/5768076160.pdf
    • https://cdn.shopify.com/s/files/1/0431/3320/6689/files/muzunon.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/45484104345.pdf
    • https://cdn.shopify.com/s/files/1/0438/1615/7344/files/6583604937.pdf
    • https://cdn.shopify.com/s/files/1/0436/3298/4222/files/inventor_3d.pdf
    • https://cdn.shopify.com/s/files/1/0438/8945/9368/files/label_plant_cell_parts_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0438/8729/6680/files/broadcast_media.pdf
    • https://cdn.shopify.com/s/files/1/0440/6748/7894/files/19679736194.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c90.bin
1fac8c658de410fd42dce4af1f42e44098eba83ad39920d55f48df576c83fc65		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C90 5120 bytes
font_01_sfnt_off00006dc2.bin
396ac71bffdeb1c51085d7fbd58205767c46256c15b0f442085115e570cf957a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DC2 10400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.