Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef44c42f63e24d1f…

MALICIOUS

PDF

46.3 KB Created: 2020-08-21 21:31:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b1eb70794b795b3b051d37b7a3e67b7 SHA-1: e879aa29ea4adeab1f37a6aec65d23d7521471a9 SHA-256: ef44c42f63e24d1f97789f91d783a8c7091afa92d82264b076d2d9a990a7d652
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass of external links, many pointing to benign Shopify URLs, but one critical link redirects to a known malicious domain, ttraff.com. The document body, though heavily obfuscated, contains the string 'Visual code css formatter' and the malicious URL, suggesting a lure to disguise the malicious intent. The PDF_MALICIOUS_REDIRECTOR_LINK heuristic confirms the presence of a link to malicious infrastructure. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=visual+code+css+formatter
    • http://files.mhcgb.co.uk/uploads/1/3/1/4/131452735/4396136.pdf
    • http://varotasuf.elliemacdonald.com/uploads/1/3/2/6/132681352/5085308.pdf
    • http://files.maarshainc.com/uploads/1/3/2/6/132682897/3e76d062.pdf
    • http://wapet.noltextruss.com/uploads/1/3/1/3/131398008/xebebikukav.pdf
    • http://files.awesomepawsacademy.com/uploads/1/3/1/4/131453109/gozosawigew.pdf
    • https://cdn.shopify.com/s/files/1/0440/8524/8165/files/evs_subject_ki_full_form.pdf
    • https://cdn.shopify.com/s/files/1/0429/5540/7519/files/the_new_oxford_annotated_bible_with_apocrypha_4th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0433/0605/7883/files/plant_systematics_a_phylogenetic_approach_fourth_edition.pdf
    • https://cdn.shopify.com/s/files/1/0436/1220/9315/files/how_to_turn_off_wifi_direct.pdf
    • https://cdn.shopify.com/s/files/1/0434/3123/1655/files/70222631425.pdf
    • https://cdn.shopify.com/s/files/1/0438/0885/0081/files/engineering_technology_practical_guide.pdf
    • https://cdn.shopify.com/s/files/1/0431/0505/8976/files/85887851977.pdf
    • https://cdn.shopify.com/s/files/1/0431/6702/3259/files/rigezu.pdf
    • https://cdn.shopify.com/s/files/1/0434/9093/4949/files/43239686749.pdf
    • https://cdn.shopify.com/s/files/1/0464/9415/4904/files/39331893955.pdf
    • https://cdn.shopify.com/s/files/1/0433/4052/9816/files/25902486393.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007519.bin
2c05a2c83e65f6d9609a6d51ab2a4f04cc63f210fb0b6f4d343a0a73445bf2ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7519 5132 bytes
font_01_sfnt_off0000866a.bin
08006d32159033b6103643ab21aba6be2566d7dceeec34cdab5d68d06121dea8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x866A 11128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.