Malicious PDF — malware analysis report

Static analysis result for SHA-256 ebd5a7c05e8a22d6…

MALICIOUS

PDF

41.6 KB Created: 2020-08-26 22:50:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5dee6f1045e89a15659488ed8571614e SHA-1: eb39292f5ab79572742f2075e87d0afe140f0481 SHA-256: ebd5a7c05e8a22d6461e68aa3d9899757403e242474bce0576e9311b4340777a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.cc'. The document body, though heavily obfuscated, contains this URL and numerous other links hosted on Shopify, suggesting a link farm or redirection scheme. The primary attack pattern involves tricking the user into clicking the malicious link, likely leading to further compromise.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=the+brothers+grimm+spectaculathon
    • http://files.myvirtualvacations.net/uploads/1/3/1/4/131409024/wewuleluwodi.pdf
    • https://cdn.shopify.com/s/files/1/0435/2425/9992/files/fasetudaka.pdf
    • https://cdn.shopify.com/s/files/1/0431/5840/5280/files/fubulepi.pdf
    • https://cdn.shopify.com/s/files/1/0461/7640/3609/files/80094298193.pdf
    • https://cdn.shopify.com/s/files/1/0431/3320/6682/files/virtual_earthworm_dissections.pdf
    • https://cdn.shopify.com/s/files/1/0430/4686/3005/files/samilunudivero.pdf
    • https://cdn.shopify.com/s/files/1/0433/5727/4261/files/irsc_libraries_apa_style_guide.pdf
    • https://cdn.shopify.com/s/files/1/0470/9937/9862/files/capitis_diminutio_maxima_blacks_law.pdf
    • https://cdn.shopify.com/s/files/1/0429/8362/0757/files/zowejexetefobi.pdf
    • https://cdn.shopify.com/s/files/1/0433/9345/0134/files/meningitis_amebiana_primaria.pdf
    • https://cdn.shopify.com/s/files/1/0432/0277/3156/files/22120246303.pdf
    • https://cdn.shopify.com/s/files/1/0432/6627/7531/files/residential_buildings_types.pdf
    • https://cdn.shopify.com/s/files/1/0428/2672/7580/files/33672977438.pdf
    • https://cdn.shopify.com/s/files/1/0432/0644/3163/files/13819359888.pdf
    • https://cdn.shopify.com/s/files/1/0433/9151/6826/files/45065964946.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006593.bin
47edb287ab22f12cfacf06321de0c046594462af18832430de7a9c98334cce19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6593 5436 bytes
font_01_sfnt_off000077ec.bin
fbbc4aeb6bfaa15a6599fa1673632414cd2d2fc949b476a0a411ad873e7d2631		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77EC 9964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.