Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff7d578073d9e3b2…

MALICIOUS

PDF

60.5 KB Created: 2020-08-23 03:27:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7dd9560e294c62764b17b9ba4cc6c791 SHA-1: 0f54fc0de78652b09b091fb9e3ebf9825ff17562 SHA-256: ff7d578073d9e3b2cb1feceedc9a4e860477248064b702775222daf69cc65b9a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/pify?keyword=qu%25C3%25A9+significa+languidez+en+espa%25C3%25B1ol'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links to external PDFs, many hosted on cdn.shopify.com. The document body, though heavily obfuscated, contains the same redirector URL. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=qu%25C3%25A9+significa+languidez+en+espa%25C3%25B1ol
    • http://files.newcomers-winstonsalem.com/uploads/1/3/1/4/131406234/613fdf913b9.pdf
    • http://files.creeksideband.com/uploads/1/3/1/3/131384789/3301404.pdf
    • http://files.familybusinessatwork.com/uploads/1/3/1/4/131453645/3558453.pdf
    • https://cdn.shopify.com/s/files/1/0431/6243/5739/files/50369553736.pdf
    • https://cdn.shopify.com/s/files/1/0434/5207/2086/files/2653473678.pdf
    • https://cdn.shopify.com/s/files/1/0431/5945/3860/files/57701213123.pdf
    • https://cdn.shopify.com/s/files/1/0439/1400/2587/files/non_aqueous_titration_download.pdf
    • https://cdn.shopify.com/s/files/1/0434/2729/9478/files/sivavuluwonudama.pdf
    • https://cdn.shopify.com/s/files/1/0433/3902/2485/files/87312550099.pdf
    • https://cdn.shopify.com/s/files/1/0432/2151/6449/files/gawadezigezafe.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/botudurodakokebavexosox.pdf
    • https://cdn.shopify.com/s/files/1/0431/3248/5793/files/tagalog_christmas_songs_free.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/35022180152.pdf
    • https://cdn.shopify.com/s/files/1/0433/7657/4620/files/anopheles_albimanus.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ffd.bin
47d15d6d60e54f179624d56b5bfbfeea14e1af6ad6dee3362fb0ed443915074e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FFD 4276 bytes
font_01_sfnt_off00006f4f.bin
aecc90988d7a92ffa057eb51c57931cf9581710cca7dc2a66d58651e4aa56e1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F4F 5492 bytes
font_02_sfnt_off00008188.bin
2de202cedb288f7298927450a53fb7ca3f6866dce567f81f2c325fc363341fff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8188 3700 bytes
font_03_sfnt_off00008fa9.bin
dfb5a3280eb96c98fdffef4eb7a76b3d1b8ecf6419ec3ff525bfd94569110f13		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8FA9 4588 bytes
font_04_sfnt_off00009e89.bin
f963e203c7026f0c87c23464780a1e6ec2da76fa0d9b46a7f221b39958972384		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9E89 12156 bytes
font_05_sfnt_off0000c600.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC600 4324 bytes
font_06_sfnt_off0000d401.bin
9fb0fa38f2d0294b28acb8295e7d481360129dcee4c66c3a06620160915783d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD401 3272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.