Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f6829a2f2c831ca…

MALICIOUS

PDF

36.1 KB Created: 2020-09-01 18:07:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7904f8f1f10dd33159e236840f849ebb SHA-1: 522e34605131565828978f6ba8495d1b67c14099 SHA-256: 1f6829a2f2c831caf7dd05a96041206ca3c1815ecb92cddb23a3eeb663892e42
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.me/wix?keyword=debate+template+high+school'. The document body, though heavily obfuscated, contains references to 'debate template high school' and the malicious URL, suggesting a social engineering lure. The file also exhibits characteristics of a link farm, with numerous embedded URLs pointing to external PDF documents, likely to improve search engine ranking or distribute traffic.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=debate+template+high+school
    • https://static.usrfiles.com/ugd/c1615c_d3aedd99dfd543c084fd18edd8e23317.pdf
    • https://static.usrfiles.com/ugd/b8c837_58c7cd9e7fb84697a096215b1eac9c71.pdf
    • https://static.usrfiles.com/ugd/b8c837_2e9be0217a2c438ca5ca0ecfe9722218.pdf
    • https://cdn.shopify.com/s/files/1/0431/4827/9957/files/gazazevi.pdf
    • https://cdn.shopify.com/s/files/1/0435/2658/6527/files/52752328164.pdf
    • https://static.usrfiles.com/ugd/8de238_2e95c81154d84d5685823ca454734ab9.pdf
    • https://static.usrfiles.com/ugd/87d215_040b5a70bd1f43a3b977cabe01ac9b6d.pdf
    • https://static.usrfiles.com/ugd/5af86b_a3fec2a0263547879c431c31dd126845.pdf
    • https://static.usrfiles.com/ugd/3ceeb9_67ce84a234a64de9876ac3c5f1d35a1b.pdf
    • https://static.usrfiles.com/ugd/64d889_cb5d1e5549fc47d39a4d837e4376ff67.pdf
    • https://static.usrfiles.com/ugd/a2ebd8_13f4bb4773e0409eb4ddcae48c87e840.pdf
    • https://static.usrfiles.com/ugd/8dde66_78a376ac4bf543f59beffc833745eb47.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000503f.bin
cf1a8ad2ec5bcdfab933d29bb4c3d51b812d906dd5b047c151d700b89ce44409		 pdf-font-stream PDF embedded font (sfnt) at offset 0x503F 5388 bytes
font_01_sfnt_off0000626f.bin
2f0e08f3ea01ee29a027aeec52a91d0d3979658b426ef8d42041c8b1712a2e91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x626F 9824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.