Malicious PDF — malware analysis report

Static analysis result for SHA-256 ebab78a1c7c6d9ac…

MALICIOUS

PDF

40.1 KB Created: 2020-08-02 20:38:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7aabf4aac581a783176b873308257856 SHA-1: 25bce9fc1788df0bb556cfdbd683fe15477cffa6 SHA-256: ebab78a1c7c6d9ac30748f525684b7b00d5e1e3e73eb0bb5d0077e4ec930a0e5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF document contains a link disguised as a "Stanley garage door opener manual" that redirects to a malicious URL (https://ttraff.cc/pify?keyword=stanley+garage+door+opener+manual). This URL is flagged as a known malicious redirector. The document also contains a large number of embedded links, many pointing to Shopify domains, which is characteristic of SEO link farm abuse. The primary attack vector appears to be social engineering via a deceptive document title and a malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=stanley+garage+door+opener+manual
    • http://gubupowo.mistressclaudia.net/uploads/1/3/0/7/130775612/sarorifazisa.pdf
    • http://files.beapaige.co.uk/uploads/1/3/0/9/130969430/732713.pdf
    • http://files.gelaboutique.com/uploads/1/3/1/4/131437669/jitepavesujojajunopu.pdf
    • http://files.nvhsguidance.com/uploads/1/3/1/4/131483020/sexuligib-sinesipirumaso-vuxinofedenivi.pdf
    • https://cdn.shopify.com/s/files/1/0441/3505/5512/files/vuxepadagojazenaxoko.pdf
    • https://cdn.shopify.com/s/files/1/0430/3929/3589/files/49585459290.pdf
    • https://cdn.shopify.com/s/files/1/0433/2588/2518/files/rowofefiwu.pdf
    • https://cdn.shopify.com/s/files/1/0428/7424/1183/files/lisimikige.pdf
    • https://cdn.shopify.com/s/files/1/0438/4718/8640/files/49040476577.pdf
    • https://cdn.shopify.com/s/files/1/0431/9143/5422/files/1328121900.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/66264102559.pdf
    • https://cdn.shopify.com/s/files/1/0429/0668/1497/files/renuzoxisegirarusajudiva.pdf
    • https://cdn.shopify.com/s/files/1/0433/3273/1038/files/zadukesokupa.pdf
    • https://cdn.shopify.com/s/files/1/0434/4525/6352/files/dokufunamexobaxa.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xodowowesibaxen.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f20.bin
37a2d405ea832773169c465507280c8f15b9e0aa9c9360c766bf96c4dc7cb5aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F20 5308 bytes
font_01_sfnt_off00007121.bin
0e13352a227807ebb78ff72e9c4bb87337af776493f29dcb17bea7af475df89f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7121 10100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.