Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff3a5ef33655b64d…

MALICIOUS

PDF

40.5 KB Created: 2020-08-31 16:48:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 71919b06d8c51de6486628c4f81aeabc SHA-1: 5a8e0b574d1bf849e0e7664e64642e4f1ce35295 SHA-256: ff3a5ef33655b64d341e8411a67e1ad643db83bb5e79481921b2262009a0e0f7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.link/wix?keyword=60+days+notice+ontario+template'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, many of which point to Shopify domains. The document body, though heavily obfuscated, contains references to the redirector URL and other embedded URLs, suggesting a coordinated effort to distribute malicious content or phish for information. The primary attack vector appears to be social engineering, leveraging a seemingly legitimate document type to mask malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=60+days+notice+ontario+template
    • https://static.usrfiles.com/ugd/b8c837_fae49135642142e999509e05cca976d6.pdf
    • https://static.usrfiles.com/ugd/b8c837_8ab13af961bc4280b78ae6cec885a270.pdf
    • https://static.usrfiles.com/ugd/71fd01_6a09bd83025849789c95cf2ac65283e3.pdf
    • https://cdn.shopify.com/s/files/1/0434/6665/3858/files/gideserosaxojosajub.pdf
    • https://cdn.shopify.com/s/files/1/0428/5952/8355/files/30751183291.pdf
    • https://cdn.shopify.com/s/files/1/0465/0840/8982/files/barrette_pesoforma_vendita_online.pdf
    • https://cdn.shopify.com/s/files/1/0438/4351/8629/files/66634737954.pdf
    • https://cdn.shopify.com/s/files/1/0431/7960/6177/files/72834088407.pdf
    • https://cdn.shopify.com/s/files/1/0428/1604/5222/files/12604887117.pdf
    • https://cdn.shopify.com/s/files/1/0431/2930/7287/files/xasuzufuz.pdf
    • https://cdn.shopify.com/s/files/1/0430/8067/9577/files/bulbous_bow_design.pdf
    • https://cdn.shopify.com/s/files/1/0428/4927/1975/files/83449012992.pdf
    • https://cdn.shopify.com/s/files/1/0439/0912/0152/files/39493499746.pdf
    • https://cdn.shopify.com/s/files/1/0433/9191/0038/files/jefazobunoxovove.pdf
    • https://cdn.shopify.com/s/files/1/0434/5636/4709/files/uefa_champions_league_anthem_piano.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f0d.bin
e90033c1c59cbd3cb745f29265c63ee12669c450d4527668efe94379fb6b5b72		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F0D 5524 bytes
font_01_sfnt_off000071c3.bin
ece74e159b3190c39883607a77dedbf30665caa984f74ed4f7f53ec35316e707		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71C3 10484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.