Malicious PDF — malware analysis report

Static analysis result for SHA-256 21547a45d87e4ba2…

MALICIOUS

PDF

42.2 KB Created: 2020-08-27 22:40:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 723c4e954588c979fc97909c8c33233f SHA-1: 42079e57c7f219bfdec8ecf4f78a5e1d69cd5921 SHA-256: 21547a45d87e4ba21deeb758a21b9ead571ceab3a10fb52af9af5f58ffe6e924
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a deceptive message about a server connection error, which is a common lure for phishing attacks. It embeds multiple links, with one specifically pointing to a known malicious redirector. The document also functions as a link farm, directing users to numerous other PDF files, likely to obscure the malicious intent and spread the attack. The primary malicious URL is https://ttraff.com/pify?keyword=apex+connexion+au+serveur+expir%25C3%25A9.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=apex+connexion+au+serveur+expir%25C3%25A9
    • http://nesupid.lamaisonneuve.com/uploads/1/3/0/8/130874359/nizarasifivo-josot-tofudobet.pdf
    • http://mikiz.colleenkelseyart.com/uploads/1/3/0/8/130814328/0dd4b28.pdf
    • https://cdn.shopify.com/s/files/1/0432/2538/3073/files/maths_book_class_11_cbse.pdf
    • https://cdn.shopify.com/s/files/1/0430/9378/6791/files/avatar_comics_espaol.pdf
    • https://cdn.shopify.com/s/files/1/0447/3847/8229/files/calendar_2020_indonesia.pdf
    • https://cdn.shopify.com/s/files/1/0432/9072/2472/files/91881087163.pdf
    • https://cdn.shopify.com/s/files/1/0433/8044/1238/files/82595911614.pdf
    • https://cdn.shopify.com/s/files/1/0434/0714/7166/files/23531880335.pdf
    • https://cdn.shopify.com/s/files/1/0429/0645/2127/files/kufirazaga.pdf
    • https://cdn.shopify.com/s/files/1/0447/1685/1356/files/wogojazixo.pdf
    • https://cdn.shopify.com/s/files/1/0465/1008/0158/files/sangfor_hci_installation_guide.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000056bd.bin
a703e02a71c63a3ef8c4e3eb7c799f054c343099e9de1b4191cad5bbfd52745d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56BD 4956 bytes
font_01_sfnt_off00006752.bin
b283cc7b830b35109d81af3e1681d602deba1848050c676ef2ea7ffffd121a77		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6752 11428 bytes
font_02_sfnt_off00008bf4.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BF4 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.