Malicious PDF — malware analysis report

Static analysis result for SHA-256 28848898e54c70c0…

MALICIOUS

PDF

41.9 KB Created: 2020-09-03 23:08:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 46bc1b8bf7deb91f7f531840a2c52be8 SHA-1: 51b2a909546d17b7cda08792d8756826d5f37600 SHA-256: 28848898e54c70c0fb955a1c9d07052537c3617c3877feb1c84f659d6e193b25
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.link/wix?keyword=2019+monthly+calendar+template+word+landscape', is designed to lure users by appearing to offer a calendar template but ultimately redirects to malicious infrastructure. The file also contains a PDF link farm heuristic, indicating a large number of outbound links, many of which point to benign content hosting sites, but the primary malicious link is the redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=2019+monthly+calendar+template+word+landscape
    • https://static.usrfiles.com/ugd/b8c837_4a625bdb0bbc4245b356fa1e0d79689b.pdf
    • https://static.usrfiles.com/ugd/83d902_4554d660f9b848e592ff2cba05ba12ee.pdf
    • https://static.usrfiles.com/ugd/98857b_910948bd25324393a357bb8b368f7da3.pdf
    • https://static.usrfiles.com/ugd/8ab72e_273c06660a784a619f793011c425189b.pdf
    • https://cdn.shopify.com/s/files/1/0431/1079/3382/files/list_of_diseases_caused_by_bacteria_in_humans.pdf
    • https://cdn.shopify.com/s/files/1/0431/7252/8292/files/nivapavuxok.pdf
    • https://cdn.shopify.com/s/files/1/0429/2008/3612/files/sotigado.pdf
    • https://cdn.shopify.com/s/files/1/0432/8692/1376/files/4954223502.pdf
    • https://cdn.shopify.com/s/files/1/0434/7265/0397/files/62251073737.pdf
    • https://cdn.shopify.com/s/files/1/0431/0456/7450/files/cyber_security_vs_information_security_salary.pdf
    • https://cdn.shopify.com/s/files/1/0430/2965/9797/files/zarabiwarafedakerivuso.pdf
    • https://static.usrfiles.com/ugd/fedf23_029707fba15b42bdbd1e4e23983a8d72.pdf
    • https://static.usrfiles.com/ugd/b8c837_67eb5d5703fc4132aa067bcf59a9372d.pdf
    • https://static.usrfiles.com/ugd/b8c837_821648b7c17e4019bf625a92ac4bc5d1.pdf
    • https://static.usrfiles.com/ugd/e4ff69_067e835095d444abac186b115a810931.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062ff.bin
115a10898378996af84c1cead2865e5a320ea5cde95081be9d860094b0277f84		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62FF 5896 bytes
font_01_sfnt_off000076fd.bin
66f5152ff48498ef0584aa8a2adea5144d8376b284d202e2bf174e7277b19488		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76FD 10364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.