Malicious PDF — malware analysis report

Static analysis result for SHA-256 30d1c03e1a551a20…

MALICIOUS

PDF

37.8 KB Created: 2020-08-14 12:37:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 66b8489340924d51c160ac51f799820a SHA-1: 30bfd69c422724c353dde1492d81bdc7adcc8e9b SHA-256: 30d1c03e1a551a20f048a8d9427415e39de42ac56c69a6fb22d0365a6631477f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, a technique often used in SEO link farms to generate traffic or distribute malicious content. One of the primary links, 'https://ttraff.ru/pify?keyword=action+verbs+worksheets+grade+4', is flagged as a malicious redirector. The document body, though heavily obfuscated, contains references to the same URL, indicating an attempt to lure users into clicking malicious links under the guise of educational material.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=action+verbs+worksheets+grade+4
    • http://files.christthevictor.org/uploads/1/3/0/7/130775837/5118894.pdf
    • http://sorijopi.evolve-sg.com/uploads/1/3/0/7/130776824/5e0bc2925b99f58.pdf
    • http://dufijuna.bishopheating.com/uploads/1/3/2/6/132682883/vejodoxoteguk.pdf
    • https://cdn.shopify.com/s/files/1/0441/2804/3160/files/xivewekopaxitin.pdf
    • https://cdn.shopify.com/s/files/1/0435/4742/6975/files/42054109586.pdf
    • https://cdn.shopify.com/s/files/1/0436/3865/3086/files/91231678375.pdf
    • https://cdn.shopify.com/s/files/1/0434/8523/3304/files/28923060472.pdf
    • https://cdn.shopify.com/s/files/1/0430/8795/4073/files/bordeaux_map.pdf
    • https://cdn.shopify.com/s/files/1/0436/9465/3594/files/gw2_firebrand_build.pdf
    • https://cdn.shopify.com/s/files/1/0434/4211/0625/files/merry_christmas_pictures.pdf
    • https://cdn.shopify.com/s/files/1/0436/2534/9273/files/94754806712.pdf
    • https://cdn.shopify.com/s/files/1/0432/6693/2902/files/dizepabubuvab.pdf
    • https://cdn.shopify.com/s/files/1/0435/5234/2184/files/mirofojojepufosa.pdf
    • https://cdn.shopify.com/s/files/1/0431/9333/5970/files/biblia_de_jerusalen.pdf
    • https://cdn.shopify.com/s/files/1/0430/5397/3657/files/rotating_videos_in_imovie.pdf
    • https://cdn.shopify.com/s/files/1/0435/7878/5951/files/zidutajodevogadaf.pdf
    • https://cdn.shopify.com/s/files/1/0430/6917/8017/files/sijisesu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000554d.bin
d31970740522cf1618223b636bb917bc152f49b2a1746c21904e62590aa5eae9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x554D 5604 bytes
font_01_sfnt_off00006867.bin
c0abba394e09b866ffd469e3e770414055504b15f7bf6767a4ec75fd341af5a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6867 9876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.