Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff6365362f137c18…

MALICIOUS

PDF

39.2 KB Created: 2020-08-29 03:03:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5b138e87da310d9e780cb7f54bdb62ad SHA-1: e2d02240bcc4d847da4b038521f66bacb26933ba SHA-256: ff6365362f137c181c62d8d36c8f4a4adde755d3b3ef39f53dd313dcb8513ffc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to ttraff.com. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on cdn.shopify.com. The document body, though heavily obfuscated, contains the primary malicious URL. The combination of these factors strongly suggests a phishing or redirection attack.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=starbound+sexbound+mod
    • https://cdn.shopify.com/s/files/1/0429/2725/9815/files/32855094130.pdf
    • https://cdn.shopify.com/s/files/1/0452/7492/3169/files/kavarupifalebamufazev.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/65587220918.pdf
    • https://cdn.shopify.com/s/files/1/0433/8457/0019/files/vegosunekozerenofulejala.pdf
    • https://static.usrfiles.com/ugd/b8c837_40ecab15222e4f93acc8affd824c602a.pdf
    • https://static.usrfiles.com/ugd/b8c837_fd7c160f596349d19e6286ef2866010e.pdf
    • https://static.usrfiles.com/ugd/b8c837_faef296725b646e9883756a4ebd6396b.pdf
    • https://static.usrfiles.com/ugd/b8c837_39a7e07516dd45019b2af0ae4b07613c.pdf
    • https://cdn.shopify.com/s/files/1/0433/0147/0366/files/compare_and_contrast_print_and_broadcast_media.pdf
    • https://cdn.shopify.com/s/files/1/0435/7718/0328/files/define_national_development.pdf
    • https://cdn.shopify.com/s/files/1/0437/7647/5290/files/2019_10th_class_up_board_date_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0432/7650/1158/files/xexekofaj.pdf
    • https://cdn.shopify.com/s/files/1/0437/4256/0407/files/business_email_format_with_attachment.pdf
    • https://cdn.shopify.com/s/files/1/0434/4751/7341/files/augusto_cury_o_mestre_dos_mestres.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000044aa.bin
72186d6ab797c3d8191abcc7a090ec68d60c10e03bad85091ac199f9bfebaf16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x44AA 5248 bytes
font_01_sfnt_off00005660.bin
b426147aa322a226a9d4c582102887eb45ae0efe6ed939d1d87d4b149c9e260b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5660 9852 bytes
font_02_sfnt_off00007853.bin
347d7af464373407f9ff2c498be774ddb16f93f10e640c2479320bd93bf3fbfe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7853 16344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.