Malicious PDF — malware analysis report

Static analysis result for SHA-256 f3c6c64e19d65312…

MALICIOUS

PDF

54.5 KB Created: 2020-08-29 18:32:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4a015a0bf99e1e1e457039b3de352615 SHA-1: 5058a28fc5c5368953ed4e3ebaa02ecc0f2f05b6 SHA-256: f3c6c64e19d6531283e17269c2c93a9e61d0970207a0c0cb28463d293f4a7efa
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with a critical heuristic identifying it as a PDF link farm. One of the primary links directs to a known malicious redirector, ttraff.com, which is likely used to obscure the final malicious destination. The document body, though heavily obfuscated, contains the same URL, suggesting it's the intended lure. The presence of numerous links, including those hosted on cdn.shopify.com, indicates an attempt to leverage SEO tactics to distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=werewolf+the+forsaken+merits
    • https://cdn.shopify.com/s/files/1/0436/6077/1481/files/5205220768.pdf
    • https://cdn.shopify.com/s/files/1/0433/7188/8803/files/10084484426.pdf
    • https://cdn.shopify.com/s/files/1/0429/2047/6828/files/5498017553.pdf
    • https://cdn.shopify.com/s/files/1/0441/0828/4056/files/xoxukitatazusolixomuvevin.pdf
    • https://cdn.shopify.com/s/files/1/0430/8421/8521/files/47319950342.pdf
    • https://cdn.shopify.com/s/files/1/0433/7133/1734/files/gonusovi.pdf
    • https://cdn.shopify.com/s/files/1/0431/6577/8080/files/kurekadawodu.pdf
    • https://cdn.shopify.com/s/files/1/0428/7882/8700/files/console_commands_stardew_valley.pdf
    • https://cdn.shopify.com/s/files/1/0431/7098/8188/files/gavoduvekelabidufegolateg.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/80278007767.pdf
    • https://static.usrfiles.com/ugd/b8c837_07b7e67539e94b319f124c84ebc7e973.pdf
    • https://static.usrfiles.com/ugd/b8c837_699892ac357241d5b7e9cd3e6467d43f.pdf
    • https://static.usrfiles.com/ugd/e8506d_1b9a5fea5e6646119b0390e8e1a62d6f.pdf
    • https://static.usrfiles.com/ugd/0d9a50_5c3005f24d5e44849e5255b452912a3b.pdf
    • https://static.usrfiles.com/ugd/79e0dc_2022c222367340abaf81007420c4907d.pdf
    • https://static.usrfiles.com/ugd/b8c837_c6162e7ae99f4d2786f0eabd5d9605a5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0433/7188/8803/files/10

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000974f.bin
8ff2ff20be886d31ddcc3a466f492f50df9f71bea11cebf130100bccc2d6f39d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x974F 5176 bytes
font_01_sfnt_off0000a8d5.bin
b0d01c3a6f38e1af7f9bb37a9397bd6aafd78c58013676e7667d13bc94c5db3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA8D5 10720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.