Malicious PDF — malware analysis report

Static analysis result for SHA-256 f829df02281933e4…

MALICIOUS

PDF

49.3 KB Created: 2020-07-15 16:22:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6b21b58ae8cde0c8ab2edb269ab32181 SHA-1: 60f37798d81b6528a523cb5ad4d2ab2491dd9bc9 SHA-256: f829df02281933e4c4f21519ab77be27f3b9f92429e7be5449e39fb7787592dc
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to ttraff.ru, which is associated with a payment redirection lure. Additionally, a PDF link farm heuristic indicates a large number of external links, with the primary one leading to a Shopify domain. The document body, though heavily obfuscated, contains keywords related to wire transfers and banking, reinforcing the lure. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=citibank%20wire%20transfer%20form%20pdf
    • http://files.bookhivebeerclub.com/uploads/1/3/0/9/130969910/f65beae6b726.pdf
    • http://files.kidsmusicwithmisshoney.com/uploads/1/3/2/8/132814624/buzasekupunidad.pdf
    • http://files.ashevillesizzles.com/uploads/1/3/1/3/131382078/820e2e8bf5032.pdf
    • http://files.jacksonhighley.com/uploads/1/3/2/6/132682110/rodejol.pdf
    • http://files.seahorseaudio.com/uploads/1/3/0/8/130813973/c89145a.pdf
    • http://files.kidsmusicwithmisshoney.com/uploads/1/3/2/8/132814624/buzasekupunidad
    • https://cdn.shopify.com/s/files/1/0430/7963/1012/files/rafasivolafe.pdf
    • https://cdn.shopify.com/s/files/1/0432/8184/2341/files/12013401455.pdf
    • https://cdn.shopify.com/s/files/1/0429/2821/0073/files/rixemalezifa.pdf
    • https://cdn.shopify.com/s/files/1/0429/9803/8679/files/81873357433.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xakuxosisubesabemobaf.pdf
    • https://taxasegino.files.wordpress.com/2020/06/zejiwudixobaru.pdf
    • https://denorawe.files.wordpress.com/2020/07/wopivorisupowapanaderoni.pdf
    • https://gosigisor.files.wordpress.com/2020/06/51484767403.pdf
    • https://mafuzepiju.files.wordpress.com/2020/07/12506406905.pdf
    • https://savevawat.files.wordpress.com/2020/07/zaxodezedanivifusoti.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/jikas.pdf
    • https://cdn.shopify.com/s/files/1/0430/6888/3098/files/98913928071.pdf
    • https://cdn.shopify.com/s/files/1/0433/6903/7974/files/32822249678.pdf
    • https://cdn.shopify.com/s/files/1/0429/8987/9445/files/xebinabuladipujej.pdf
    • https://cdn.shopify.com/s/files/1/0429/9682/6273/files/85483270212.pdf
    • https://cdn.shopify.com/s/files/1/0431/2314/6906/files/povazesuxabobusiw.pdf
    • https://cdn.shopify.com/s/files/1/0430/0098/7811/files/wepup.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/33374625424.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000080a0.bin
c2282bf773e893d59dd12f712f5af237b14f5e4a420c95d725a7cb7405b7687b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80A0 5264 bytes
font_01_sfnt_off00009277.bin
699b5c3196e8936e7987f48505ad3dce13020c91400276e5160ec84e0348a9fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9277 10852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.