Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec4558c41496eb4f…

MALICIOUS

PDF

39.8 KB Created: 2020-08-30 20:43:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c9d4958db02b41fdd4e2f8b2eb29476 SHA-1: 54d5127d8c176c51c21d1676efbcd4a03f4c1e64 SHA-256: ec4558c41496eb4ff99b5176b0c3e2ad07b6141970fd1c69cad1f8a5c2b11ca5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=prince+caspian+lyrics'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, with the first being 'https://cdn.shopify.com/s/files/1/0431/8471/7979/files/celebrate_recovery_rules_and_guidelines.pdf'. The document body, though heavily obfuscated, also contains these URLs. The primary intent appears to be directing users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=prince+caspian+lyrics
    • https://cdn.shopify.com/s/files/1/0431/8471/7979/files/celebrate_recovery_rules_and_guidelines.pdf
    • https://cdn.shopify.com/s/files/1/0433/6871/0309/files/notonit.pdf
    • https://cdn.shopify.com/s/files/1/0430/6855/5415/files/55849222687.pdf
    • https://cdn.shopify.com/s/files/1/0438/3624/4118/files/48121893990.pdf
    • https://cdn.shopify.com/s/files/1/0434/0937/5397/files/12913636760.pdf
    • https://static.usrfiles.com/ugd/3aee12_93d34499ebbd418589ba49618ab32902.pdf
    • https://static.usrfiles.com/ugd/b8c837_133699766a68417d99bdd95685438f55.pdf
    • https://static.usrfiles.com/ugd/9cfd0a_9cf470ba10b24924b6300bc8a212a0c7.pdf
    • https://cdn.shopify.com/s/files/1/0433/9145/1294/files/division_de_numeros_complejos_en_for.pdf
    • https://cdn.shopify.com/s/files/1/0431/5335/9005/files/difference_between_manual_and_automation_testing.pdf
    • https://cdn.shopify.com/s/files/1/0435/5594/6647/files/7175297918.pdf
    • https://cdn.shopify.com/s/files/1/0429/6350/1222/files/jabumatanaxona.pdf
    • https://cdn.shopify.com/s/files/1/0433/0366/5822/files/64823952725.pdf
    • https://cdn.shopify.com/s/files/1/0434/7097/9237/files/mesugoboxuzam.pdf
    • https://cdn.shopify.com/s/files/1/0437/1723/0741/files/kiwirosetuxujem.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e82.bin
c17726f9fe485661333096d4390645bbf63c85bc5bdfab91cea6d98524c1bf78		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E82 5028 bytes
font_01_sfnt_off00006fa6.bin
c4667cd0ca4e6012cae9066bec2a5a4cf541acb59546d6b8c391ecce6b5ddb45		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FA6 10316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.