Malicious PDF — malware analysis report

Static analysis result for SHA-256 f96589b19fcfb963…

MALICIOUS

PDF

44.1 KB Created: 2020-09-03 12:50:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 45ecdb6383c4d8b7c98d3d8effb2cc35 SHA-1: b87630e6b7c407e67204a11eba881939ebd1815b SHA-256: f96589b19fcfb9632322c40e0727b3b1f5eb4c571f0a48d93eeb67ad68094c31
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Addends

The PDF file contains a large number of external links, many of which point to a link farm hosted on shopify.com. One of these links, 'https://ttraff.link/pify?keyword=booting+process+in+unix+pdf', is identified as a malicious redirector. The document body, though heavily obfuscated, also contains this redirector URL, suggesting the primary intent is to lure the user into clicking the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=booting+process+in+unix+pdf
    • https://cdn.shopify.com/s/files/1/0440/4497/6278/files/zitaxekorirakov.pdf
    • https://cdn.shopify.com/s/files/1/0431/5696/3479/files/facebook_video_er_apk_online.pdf
    • https://cdn.shopify.com/s/files/1/0429/1634/8071/files/zusuli.pdf
    • https://cdn.shopify.com/s/files/1/0430/8697/1029/files/89473217738.pdf
    • https://cdn.shopify.com/s/files/1/0429/1667/5740/files/suzeguwili.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/65760981278.pdf
    • https://static.usrfiles.com/ugd/8de238_b8be8724bea74b60a0359ac0d0d9d73e.pdf
    • https://static.usrfiles.com/ugd/f390e7_75854acb02094fffa6eb0ca5910dc36e.pdf
    • https://static.usrfiles.com/ugd/f459ea_78ee9cb4fb6c4ce4bc6d1fc92d327077.pdf
    • https://static.usrfiles.com/ugd/dc98cc_441a2b1674be486584d0d4c2bc0d721e.pdf
    • https://static.usrfiles.com/ugd/2b25b5_51d626889b7e45c78446aebbd776a67b.pdf
    • https://static.usrfiles.com/ugd/b8c837_43733c1196504b1db6c4a34a0a534cd8.pdf
    • https://static.usrfiles.com/ugd/de65f7_910f5b55502648948e67dcf92fe9fe8a.pdf
    • https://static.usrfiles.com/ugd/1f6d71_c33f10b9a5dd4055aa5cbed39c4a7217.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063b2.bin
5b0fff2adc8efa12ca75364df0aeb7304d96a88e093a63df1bfc206948673372		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63B2 5200 bytes
font_01_sfnt_off00007587.bin
c1248f4ed6318582e35f40eb62a343ba56a4c6b7cdfc8b487018db770ad422bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7587 14184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.