Malicious PDF — malware analysis report

Static analysis result for SHA-256 2aaa7f5405406137…

MALICIOUS

PDF

73.5 KB Created: 2020-09-14 01:31:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6160c680bf4ecb5950d4fa1f210fb2fc SHA-1: 27d3873cd21e2afc59174d4d190fb0334c1ddafd SHA-256: 2aaa7f5405406137499193639bc89091df7b9dac7f6d3a1c6d556add0a22f58a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link disguised with a seemingly innocuous keyword. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms the link leads to known malicious infrastructure. The PDF_SEO_LINK_FARM heuristic indicates the document is part of a larger link farm, likely for SEO manipulation or to distribute malicious content. No scripts were extracted, but the embedded URL is the primary indicator of compromise.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=total+drama+characters
    • https://cdn.shopify.com/s/files/1/0430/8988/7396/files/dungeons_and_dragons_draconomicon.pdf
    • https://cdn.shopify.com/s/files/1/0440/9327/6312/files/ukcat_abstract_reasoning_mnemonic.pdf
    • https://cdn.shopify.com/s/files/1/0432/5625/0525/files/97884929206.pdf
    • https://static.usrfiles.com/ugd/76de1a_3fc9145af9424c3088e2f897d3622825.pdf
    • https://static.usrfiles.com/ugd/856cea_a1f62ff6ea614a1caf1e54ebe447d323.pdf
    • https://static.usrfiles.com/ugd/bf57b5_573f763aa7634951957c39ed3edece0b.pdf
    • https://static.usrfiles.com/ugd/07ef24_81d5e67f45794e759d395e3bf5fdf0dd.pdf
    • https://cdn.shopify.com/s/files/1/0433/1077/6478/files/numpy_for_python_3._6_mac.pdf
    • https://cdn.shopify.com/s/files/1/0438/3460/5730/files/el_bestiario_libro.pdf
    • https://cdn.shopify.com/s/files/1/0440/5841/1158/files/zerodha_varsity_module_3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e5f1.bin
5d0cc33c8f0934aa3d1909df7523f178a37729aa0dec3793a552078a7f1fc59b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5F1 5128 bytes
font_01_sfnt_off0000f732.bin
aa6cd23645d245c540b64289ca8f588c7b46273fc0987437a43dfdac5b5bc400		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF732 10172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.