Malicious PDF — malware analysis report

Static analysis result for SHA-256 ecc9652465e49188…

MALICIOUS

PDF

42.0 KB Created: 2020-08-17 12:28:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 49e3e3dab8c64c0b32d87ba1c4b80764 SHA-1: 3ad6f77cb84a4e879de9727d4241cd80d4a568fb SHA-256: ecc9652465e49188b316f257e952db1537d1d2f7e82aa7c6111ba7c7dd5bf78f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with a primary link pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL https://ttraff.com/pify?keyword=pdf+file+resize+software, suggesting a lure to disguise malicious activity. The presence of numerous Shopify links, many of which are benign, likely serves to obscure the malicious redirector. The file was generated using wkhtmltopdf, a tool often abused for creating malicious PDFs.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=pdf+file+resize+software
    • http://zeropi.bellevueshockers.com/uploads/1/3/1/0/131070571/3387046.pdf
    • http://kapopin.mickonis.org/uploads/1/3/0/7/130738909/pejinikoridem_mibifi_jepun_kodawimuvikumaz.pdf
    • http://files.vixbrowneauthor.com/uploads/1/3/0/9/130969562/8204f5f564.pdf
    • http://files.videopeople360.com/uploads/1/3/0/7/130739415/d142b6.pdf
    • http://gipawin.legacylec.org/uploads/1/3/0/7/130776031/waliwumejuxudosox.pdf
    • https://cdn.shopify.com/s/files/1/0438/2166/2365/files/barewote.pdf
    • https://cdn.shopify.com/s/files/1/0430/2602/2554/files/fozarowok.pdf
    • https://cdn.shopify.com/s/files/1/0433/8463/5544/files/47437966565.pdf
    • https://cdn.shopify.com/s/files/1/0452/2383/7856/files/oc_caste_list_in_telangana.pdf
    • https://cdn.shopify.com/s/files/1/0428/2590/8383/files/77383357737.pdf
    • https://cdn.shopify.com/s/files/1/0438/1776/2973/files/46867367218.pdf
    • https://cdn.shopify.com/s/files/1/0431/6761/3077/files/37451554270.pdf
    • https://cdn.shopify.com/s/files/1/0432/3131/4077/files/wovuzogowigujirekipir.pdf
    • https://cdn.shopify.com/s/files/1/0427/6014/3014/files/13191875707.pdf
    • https://cdn.shopify.com/s/files/1/0435/9543/2099/files/the_photographers_eye.pdf
    • https://cdn.shopify.com/s/files/1/0433/1975/4907/files/zozowag.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000679a.bin
6776a9dec60fc99e530195690e58fc1ef0ff2a97857742613f522c580130ce63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x679A 5044 bytes
font_01_sfnt_off000078e8.bin
ac8ffa450c41aa9c0c47e4c17a4b590cf0dc08974f3daf7e6d9831619d3919c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78E8 10144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.