Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee90816e8146abe4…

MALICIOUS

PDF

36.6 KB Created: 2020-07-25 08:29:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5226b63580a99d10ee6e2a2384574807 SHA-1: afc8e60d89c8ef8f805108069ca1d0cbdf502b79 SHA-256: ee90816e8146abe42f6a687a1833fc8a34a0e0b88575cf409a82cc0d1617fa36
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, directing users to 'ttraff.cc'. Additionally, it exhibits a PDF link farm heuristic, with numerous links pointing to external PDFs, many hosted on Shopify. The document body, though heavily obfuscated, contains text related to a 'falling balls game free' and metadata indicating it was generated by wkhtmltopdf, suggesting a lure to a malicious site under the guise of a game download.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=falling+balls+game+free
    • http://files.orgorg.co/uploads/1/3/0/7/130775131/vifamejutemafekereji.pdf
    • http://files.starcraftpontoons.com/uploads/1/3/0/8/130874615/602499b6.pdf
    • http://files.certifiablemedia.ca/uploads/1/3/2/7/132710632/widaxaxepes.pdf
    • http://files.fbcjvl.org/uploads/1/3/2/6/132695586/848443.pdf
    • https://cdn.shopify.com/s/files/1/0430/9997/9930/files/16425993416.pdf
    • https://cdn.shopify.com/s/files/1/0431/5217/9364/files/27018842626.pdf
    • https://cdn.shopify.com/s/files/1/0431/9212/3560/files/furimadezirafomoxed.pdf
    • https://cdn.shopify.com/s/files/1/0433/4492/0734/files/17738635184.pdf
    • https://cdn.shopify.com/s/files/1/0433/1172/6750/files/8690696503.pdf
    • https://cdn.shopify.com/s/files/1/0434/4204/5090/files/maminowovuwidivav.pdf
    • https://cdn.shopify.com/s/files/1/0430/4830/4797/files/62309787849.pdf
    • https://cdn.shopify.com/s/files/1/0434/2782/3778/files/77450694017.pdf
    • https://cdn.shopify.com/s/files/1/0431/8360/3876/files/71931100019.pdf
    • https://cdn.shopify.com/s/files/1/0431/9857/8848/files/88911579428.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0433/44

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005575.bin
ab68818a1209792494d3f1738549d3e791a5d65be7652c15e3f782e29c33a49f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5575 4780 bytes
font_01_sfnt_off0000658b.bin
37f168cc666292905aa03281719800ea7972a3f0a3996e35ecf17eeaeee267f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x658B 9292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.