Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1c58f41e324c774…

MALICIOUS

PDF

38.9 KB Created: 2020-08-21 07:01:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7c0616a8eb036d5c033bad0235982e5f SHA-1: 8cca86f416725368aab37a38f8e7a32cdfb17f11 SHA-256: f1c58f41e324c7746a83dd811d1130b4e1fd2e42a5f26b36d50d801c5ac94823
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=bungee+font++mac'. This URL, combined with the PDF structure and embedded links to various Shopify-hosted PDFs, suggests a lure to a phishing or malware distribution site. The document body, though heavily obfuscated, contains references to the redirector URL and other Shopify links, reinforcing the attack pattern. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bungee+font++mac
    • http://kudew.fullcirclewellnessretreats.com/uploads/1/3/2/8/132814930/5017518.pdf
    • http://files.melshand.com/uploads/1/3/1/4/131453188/kunugebidine-zagetapesawabu-bedelavudizo-zetugamafa.pdf
    • http://saxorofu.shoultesparkhoa.com/uploads/1/3/0/7/130775075/1535119.pdf
    • https://cdn.shopify.com/s/files/1/0433/0392/7973/files/8699605213.pdf
    • https://cdn.shopify.com/s/files/1/0428/1643/8438/files/column_width_jspdf_autotable.pdf
    • https://cdn.shopify.com/s/files/1/0427/9376/2975/files/nesakapokowu.pdf
    • https://cdn.shopify.com/s/files/1/0427/6885/9303/files/1-_99_agility.pdf
    • https://cdn.shopify.com/s/files/1/0432/0709/8529/files/aprendizajes_clave_preescolar_lenguaje_y_comunicacion.pdf
    • https://cdn.shopify.com/s/files/1/0439/8609/2190/files/white_house_petitions_bill_maher.pdf
    • https://cdn.shopify.com/s/files/1/0437/6484/2647/files/dujufaz.pdf
    • https://cdn.shopify.com/s/files/1/0430/5109/0071/files/fimegubulolixesobumozu.pdf
    • https://cdn.shopify.com/s/files/1/0434/3860/4450/files/alliance_and_horde_compendium.pdf
    • https://cdn.shopify.com/s/files/1/0435/2396/5079/files/bored_pile_foundation.pdf
    • https://cdn.shopify.com/s/files/1/0430/1737/1797/files/38438232318.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a10.bin
638f38eae56df3658477c18c4eb1a3e236ce2a68295d393246f44304253527b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A10 4944 bytes
font_01_sfnt_off00006ad9.bin
fed7d45d456b3046510b76a3ce9c9e97c93e817513604dbd3a0555c38bbea464		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AD9 10612 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.