Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed03adc624c6e5ae…

MALICIOUS

PDF

44.5 KB Created: 2020-08-03 05:49:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8decd81b1cff599dd64fb858008ec428 SHA-1: 22171e51524dd693281e7599e70b611309b73dc1 SHA-256: ed03adc624c6e5aec7d8474536ecf63ee2692a6afc9fdb956dc76c35b1f3ee7e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with many links pointing to Shopify-hosted PDFs. One critical heuristic firing indicates a malicious redirector link to 'ttraff.com'. The document body, though corrupted, contains the same URL, suggesting it's the primary lure. The presence of numerous Shopify links suggests an attempt to obscure the malicious destination by hosting benign-looking content on legitimate platforms while redirecting through the malicious domain.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=sustainability+merit+badge+book+pdf
    • http://files.eh20group.com/uploads/1/3/2/6/132696280/7803045.pdf
    • http://files.samhallsport.com/uploads/1/3/0/7/130740054/903c75.pdf
    • http://files.shelbyhelpline.org/uploads/1/3/1/4/131406668/zebedowim-dewote.pdf
    • http://files.mplboutique.com/uploads/1/3/0/7/130739974/1967640612.pdf
    • https://cdn.shopify.com/s/files/1/0431/4379/0760/files/waridogiwumiwul.pdf
    • https://cdn.shopify.com/s/files/1/0433/9433/4870/files/wiz_khalifa_albums.pdf
    • https://cdn.shopify.com/s/files/1/0432/9380/2646/files/gorolunokanuvada.pdf
    • https://cdn.shopify.com/s/files/1/0430/4273/4237/files/89206904466.pdf
    • https://cdn.shopify.com/s/files/1/0437/4170/8453/files/64815686928.pdf
    • https://cdn.shopify.com/s/files/1/0437/8086/6197/files/natavodulewovexirezamen.pdf
    • https://cdn.shopify.com/s/files/1/0430/4545/3985/files/kebifujup.pdf
    • https://cdn.shopify.com/s/files/1/0433/8286/6072/files/58595542764.pdf
    • https://cdn.shopify.com/s/files/1/0434/5564/3813/files/pabodimatusi.pdf
    • https://cdn.shopify.com/s/files/1/0427/9776/0668/files/nejesuw.pdf
    • https://cdn.shopify.com/s/files/1/0437/6782/4533/files/xefinidawevub.pdf
    • https://cdn.shopify.com/s/files/1/0432/0018/4477/files/49422138448.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e65.bin
a20ee3f9c01cac2ddbb8b09227ab13f51d54f6ff4b7d269ea61ddf7b75a056d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E65 5772 bytes
font_01_sfnt_off000081fc.bin
3e37ca410f2aee9d248022a0af6c33dfd54569c98f44064af1f6df2539efca5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81FC 10268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.