Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ee9977244121dd9…

MALICIOUS

PDF

48.3 KB Created: 2020-09-01 23:15:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 80dc1e108eb18f5796c1e17f09a76cd4 SHA-1: 1697998e520eb8e50d93dbe39231921467b6bcd8 SHA-256: 1ee9977244121dd99e7bdde5c83de6e465b0b6eea24b177d89b4c1962a6d4e74
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic indicating it's a malicious redirector link, pointing to 'https://ttraff.me/pify?keyword=curriculum+vitae+sample+format+for+job+application'. The document body, though heavily obfuscated, contains text related to job applications and the malicious URL. The file also contains a link farm heuristic, suggesting it's part of a larger SEO poisoning effort to drive traffic to malicious sites. The primary attack vector appears to be social engineering via a deceptive document.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=curriculum+vitae+sample+format+for+job+application
    • https://static.usrfiles.com/ugd/a91264_e97b3b2f80d24755970479f6783c23dc.pdf
    • https://static.usrfiles.com/ugd/3de8a6_f89765b9cd48408daca4dd44d02c9a74.pdf
    • https://static.usrfiles.com/ugd/b8c837_0db1f00b79c2431a8e8f83ebf3afcfaa.pdf
    • https://static.usrfiles.com/ugd/e2f7e1_a9aa6a53c2eb47d0856a417dd6ade324.pdf
    • https://static.usrfiles.com/ugd/9ea9b6_19cc22d7a25a4b839e1e2b35a6624849.pdf
    • https://static.usrfiles.com/ugd/d775a9_6526b49dc3234ec3ae6cdbe2280b2e95.pdf
    • https://static.usrfiles.com/ugd/90d19e_01aeaf325d3e4c17aa9c84c5aef6c601.pdf
    • https://static.usrfiles.com/ugd/3bf302_23422bef2a034e58a38980c934cd5984.pdf
    • https://static.usrfiles.com/ugd/ae15ca_3f3b5307c2384eddaee968204e5c4f24.pdf
    • https://static.usrfiles.com/ugd/46429b_e457bde338164dc2a1ff1d5c8df86aba.pdf
    • https://cdn.shopify.com/s/files/1/0440/5913/2054/files/rumamekegevigolusumopo.pdf
    • https://cdn.shopify.com/s/files/1/0429/7955/7539/files/xuvutetuveduzaligijalolo.pdf
    • https://cdn.shopify.com/s/files/1/0428/7735/4143/files/komaziripedipozuwa.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pigagijewunafusigiku.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007d43.bin
66e40c91e50bcbc1364b1c8dbe3f6ce552da80d09c3a57e120564f3212a354f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D43 5344 bytes
font_01_sfnt_off00008f5b.bin
2371124fc15c0b390bdae47e41758f14b346adbde3572c0db2c87d91d96481f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F5B 10672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.