Malicious PDF — malware analysis report

Static analysis result for SHA-256 f042af4ee44f7a0c…

MALICIOUS

PDF

52.8 KB Created: 2020-08-07 07:26:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82ad7b72ff2f98c844880d658e046b08 SHA-1: 96a834f050493f28ecb468e7fd00f5a26d988b88 SHA-256: f042af4ee44f7a0cbf2f47a79733b440701665b09663febdf20976bb03c3cead
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating it links to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.cc/pify?keyword=1+pedro+hernandes+dias+lopes+pdf', which is flagged as malicious. Additionally, the file exhibits characteristics of a link farm, with numerous embedded URLs pointing to external resources, many of which are hosted on cdn.shopify.com. The primary attack vector appears to be social engineering via a malicious link within the PDF.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=1+pedro+hernandes+dias+lopes+pdf
    • http://files.ashleyknappenberger.com/uploads/1/3/2/8/132814306/mufololosajo-zewunewarupoj.pdf
    • http://files.j-6forge.com/uploads/1/3/0/9/130969686/zoxufaruva.pdf
    • http://wilexitu.41studiosdesign.com/uploads/1/3/0/8/130873995/regedokavimuma.pdf
    • http://zeravusaf.abplasticpro.com/uploads/1/3/0/7/130775432/2530205.pdf
    • https://cdn.shopify.com/s/files/1/0440/1843/4213/files/tn_election_commission_voter_list_2020.pdf
    • https://cdn.shopify.com/s/files/1/0429/5956/9055/files/ropudebew.pdf
    • https://cdn.shopify.com/s/files/1/0428/1742/1479/files/bozowetijusufo.pdf
    • https://cdn.shopify.com/s/files/1/0432/4681/3346/files/54672801412.pdf
    • https://cdn.shopify.com/s/files/1/0434/8503/6708/files/zutupevaporizal.pdf
    • https://cdn.shopify.com/s/files/1/0432/1237/4174/files/8412195917.pdf
    • https://cdn.shopify.com/s/files/1/0432/2240/1192/files/xoxad.pdf
    • https://cdn.shopify.com/s/files/1/0432/3108/4701/files/56450963080.pdf
    • https://cdn.shopify.com/s/files/1/0438/2910/0701/files/24578247111.pdf
    • https://cdn.shopify.com/s/files/1/0429/6530/3455/files/98072728642.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007697.bin
4cada32b2d4809e5cc1c314f0ea51bb30ad3b2b2e0a54a6db0f98565f3ee5b15		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7697 5088 bytes
font_01_sfnt_off000087db.bin
dfccd483f01e38760e08216c001ba2f0055c061a8f14185a06f04eb7b8c818bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87DB 12556 bytes
font_02_sfnt_off0000ae28.bin
563c528807982a628cea44f9675d1c248d1cf494f9e26e34baaf1509457f088b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAE28 16344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.