Malicious PDF — malware analysis report

Static analysis result for SHA-256 f35b3672022df8db…

MALICIOUS

PDF

64.1 KB Created: 2020-08-03 03:43:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b5781103020c9c07023d1eb20dbeb2c SHA-1: d3f3443a988842d224c33de80d25ff6b93e5bede SHA-256: f35b3672022df8db57287b624c22b2ee13c5268fb78fc4169f2d6f769daf55f8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF document contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs. One critical heuristic identified a link to `ttraff.com`, a known malicious redirector, which is presented in the document body as a lure for a free movie download. This indicates a social engineering attack aimed at directing users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=hotel+rwanda+full+movie+free
    • http://files.nwtfloatplane.com/uploads/1/3/1/0/131070723/b14800.pdf
    • http://files.keeptalkingspeech.com/uploads/1/3/1/0/131070846/degosulakefo.pdf
    • http://files.ncam.ac.nz/uploads/1/3/2/6/132681836/d72790.pdf
    • https://cdn.shopify.com/s/files/1/0430/8588/9689/files/xawuku.pdf
    • https://cdn.shopify.com/s/files/1/0427/9474/6023/files/epson_xp_340_manual.pdf
    • https://cdn.shopify.com/s/files/1/0430/0832/7829/files/12050334973.pdf
    • https://cdn.shopify.com/s/files/1/0432/2181/1362/files/51184304943.pdf
    • https://cdn.shopify.com/s/files/1/0435/5670/0319/files/ziretipuxutefapogugi.pdf
    • https://cdn.shopify.com/s/files/1/0435/7203/5739/files/minecraft_ps3_seeds_2016.pdf
    • https://cdn.shopify.com/s/files/1/0434/8307/0630/files/87134703122.pdf
    • https://cdn.shopify.com/s/files/1/0431/3861/3399/files/66592190036.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/9715790575.pdf
    • https://cdn.shopify.com/s/files/1/0428/0814/8127/files/nenamuxikolofipijuzevud.pdf
    • https://cdn.shopify.com/s/files/1/0433/7372/3811/files/78822786644.pdf
    • https://cdn.shopify.com/s/files/1/0431/0673/0144/files/gejux.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000be3f.bin
a12f60046056bf6a6cbc300397d94898552ca1c114ff86b04bbb2db084b26580		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBE3F 4988 bytes
font_01_sfnt_off0000cf37.bin
f58d3151e9a50716d77fd84e89bed22746baae79a32db0f3712d100f0a635de1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF37 10680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.