Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f62c07c3a69282e…

MALICIOUS

PDF

49.8 KB Created: 2020-08-19 06:23:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 89bc286975b4a38f69f125d30f6cae4a SHA-1: 3b2bb0c9f4aa55739cdeec7d14f11e6d58c71b80 SHA-256: 1f62c07c3a69282ee5ebd2210781b6b2985888db2c8e7ece41e97a1b94389950
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains text that appears to be a lure for 'spoken english topics for beginners pdf'. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to Shopify domains, likely to improve search engine ranking for malicious content. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=spoken+english+topics+for+beginners+pdf
    • http://vutunadev.nextbuildingforum.org/uploads/1/3/0/8/130813042/ruwurovef.pdf
    • https://cdn.shopify.com/s/files/1/0431/6702/3259/files/musavutuzisavopilifani.pdf
    • https://cdn.shopify.com/s/files/1/0437/7165/8389/files/17265661661.pdf
    • https://cdn.shopify.com/s/files/1/0433/5170/3706/files/catecismo_de_la_iglesia_catolica_1983.pdf
    • https://cdn.shopify.com/s/files/1/0432/2187/6900/files/20990309431.pdf
    • https://cdn.shopify.com/s/files/1/0435/2779/8943/files/how_do_i_export_passwords_from_safari.pdf
    • https://cdn.shopify.com/s/files/1/0433/0412/4580/files/gumibubitajogumun.pdf
    • https://cdn.shopify.com/s/files/1/0440/2338/2174/files/certificado_de_origen_mexico_colombia.pdf
    • https://cdn.shopify.com/s/files/1/0434/9899/5864/files/temofesavitisusala.pdf
    • https://cdn.shopify.com/s/files/1/0440/8695/2088/files/tricare_east_prior_authorization_form_2020.pdf
    • https://cdn.shopify.com/s/files/1/0427/6345/2583/files/mopuwikewukijimirupim.pdf
    • https://cdn.shopify.com/s/files/1/0435/4048/0164/files/14137159881.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000084fc.bin
5dc37c53ec9cb4defdc2edb765b767ccb451bfbbddab6cd3403c87a32611958f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84FC 5512 bytes
font_01_sfnt_off000097b5.bin
1b26f4ff1144f40922df373d5afcb84dff80eefb739acbc526c9aea4909712a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x97B5 10100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.