Malicious PDF — malware analysis report

Static analysis result for SHA-256 20632604d50bebde…

MALICIOUS

PDF

32.9 KB Created: 2020-08-09 17:53:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5ba3ccd144dbeb0bb25d06a767cdc42b SHA-1: 8c9e4a29181ac2d2f02806e955f6de29515317d3 SHA-256: 20632604d50bebdefc3b37281fb4919c4729fa0575730b1f28658476c0adee7d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, with a critical heuristic identifying a link to a known malicious redirector at 'https://ttraff.com/pify?keyword=ansys+tutorial+pdf+scribd'. This suggests the document is designed to lead users to malicious infrastructure, likely for phishing or malware delivery. The document body, though heavily obfuscated, contains the same URL, reinforcing its role as a lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=ansys+tutorial+pdf+scribd
    • http://files.aurorahealthservices.com/uploads/1/3/1/4/131407155/8207427.pdf
    • http://files.katieschutte.com/uploads/1/3/0/7/130739011/784786.pdf
    • http://rigiwo.kmkbooks.com/uploads/1/3/1/3/131384169/1928853.pdf
    • https://cdn.shopify.com/s/files/1/0429/6690/9081/files/xoxokirajipojex.pdf
    • https://cdn.shopify.com/s/files/1/0435/7367/4142/files/90250783965.pdf
    • https://cdn.shopify.com/s/files/1/0438/7926/8520/files/nigaboponagow.pdf
    • https://cdn.shopify.com/s/files/1/0433/5380/0859/files/nelotobu.pdf
    • https://cdn.shopify.com/s/files/1/0428/1060/5735/files/93235921235.pdf
    • https://cdn.shopify.com/s/files/1/0431/6640/0666/files/pefalosatolemoxad.pdf
    • https://cdn.shopify.com/s/files/1/0431/6489/3344/files/paxamab.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/91146339154.pdf
    • https://cdn.shopify.com/s/files/1/0434/3994/7932/files/95109131770.pdf
    • https://cdn.shopify.com/s/files/1/0430/6888/3098/files/31764878842.pdf
    • https://cdn.shopify.com/s/files/1/0428/4517/5971/files/a_political_economy_of_the_middle_east_third_edition.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000042b4.bin
117b8d4684f5eb101315292896df274507a844a4275e6496b5c0261e3e38361f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x42B4 5380 bytes
font_01_sfnt_off00005512.bin
8c653ca5f5431d3d5ac81c5beb64ad862179bdaf5e49ff36710eb85072a11e39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5512 10440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.