Malicious PDF — malware analysis report

Static analysis result for SHA-256 f21cb5f0a8a52191…

MALICIOUS

PDF

39.9 KB Created: 2020-08-27 22:13:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5e63ed394434cdf82f4c85981fd097a6 SHA-1: 8d8e7149b91551b819b83628ed03cf27bd7b7905 SHA-256: f21cb5f0a8a52191dc9fdf671cbc36f831cf54889afdd30adee76f05a2099ae2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with many links pointing to shopify.com PDFs, but one critical link directs to a known malicious redirector at ttraff.com. The document body, though heavily obfuscated, contains the URL "https://ttraff.com/pify?keyword=reconstructing+amelia+movie", suggesting a lure to a malicious site. The presence of numerous PDF links indicates a strategy to distribute malicious content or redirect users to phishing pages.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=reconstructing+amelia+movie
    • http://files.northshorenightlife.com.au/uploads/1/3/1/4/131453284/8096271.pdf
    • http://sarolifen.bernaibrahim.com/uploads/1/3/0/7/130776688/3fd5a297e0fbf.pdf
    • http://files.southlinewaterfowl.com/uploads/1/3/1/4/131408027/6187361.pdf
    • https://cdn.shopify.com/s/files/1/0430/1609/3849/files/67376484097.pdf
    • https://cdn.shopify.com/s/files/1/0432/8397/2256/files/44022908722.pdf
    • https://cdn.shopify.com/s/files/1/0431/0908/9434/files/81111529467.pdf
    • https://cdn.shopify.com/s/files/1/0435/6374/5441/files/iiaba_market_share_reports.pdf
    • https://cdn.shopify.com/s/files/1/0435/1901/7124/files/2870943493.pdf
    • https://cdn.shopify.com/s/files/1/0432/0840/9250/files/30351122478.pdf
    • https://cdn.shopify.com/s/files/1/0429/4167/7731/files/31740833044.pdf
    • https://cdn.shopify.com/s/files/1/0429/2427/7923/files/44809126374.pdf
    • https://cdn.shopify.com/s/files/1/0430/0596/8537/files/vepit.pdf
    • https://cdn.shopify.com/s/files/1/0432/1561/8215/files/83883511765.pdf
    • https://cdn.shopify.com/s/files/1/0429/0294/5959/files/sutimibo.pdf
    • https://cdn.shopify.com/s/files/1/0432/3858/8584/files/tarewerizexaz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e84.bin
a51e2bcac9aaba9a5d3df6c517a1feb4688b28f5bf4d791140cfdad90965a308		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E84 5188 bytes
font_01_sfnt_off00007011.bin
dc628501add42922b20ace0b687c0c6e4215cb4fc9b3e7a3f1c4e0caf0e0b3a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7011 10256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.