Malicious PDF — malware analysis report

Static analysis result for SHA-256 31479ea6717a6294…

MALICIOUS

PDF

46.5 KB Created: 2020-09-05 02:52:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8355a63f50b9401b254e88ddd44cd832 SHA-1: fba871d1c1534d66abcad79be388953fcb26b4fb SHA-256: 31479ea6717a6294515e9d8d3c869169dac2e9b210d0358e62fe88fa039d95e7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing indicating it's a malicious redirector link, pointing to a URL that appears to be part of a link farm. The document body, though heavily obfuscated, contains the same URL and references a 'citizenship application guide', suggesting a social engineering lure. The primary IOC is the redirector URL, which is likely used to funnel victims to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=citizenship+application+guide+for+adults
    • https://static.usrfiles.com/ugd/b8c837_e17f5444ee2445dbbd3d9962f5a52bed.pdf
    • https://static.usrfiles.com/ugd/b8c837_047d7581b34d4ac0aea64f87fae868b6.pdf
    • https://static.usrfiles.com/ugd/269bb8_9e41e4afc6554681962686622b0b6b7b.pdf
    • https://static.usrfiles.com/ugd/d5cf39_0b534a4800934e9989e2f3aaa58b71f8.pdf
    • https://static.usrfiles.com/ugd/b80405_dd71216721444893bcb9ced8c29262e8.pdf
    • https://static.usrfiles.com/ugd/aa14a9_6038ee3cc75f4acd839f5137fae7038d.pdf
    • https://static.usrfiles.com/ugd/735424_c1154eeab64b45c29ab51864d1933a3c.pdf
    • https://static.usrfiles.com/ugd/96a426_2e799b50a5c84a298bd8a13e24aa65a8.pdf
    • https://static.usrfiles.com/ugd/ee6100_435ba367f4fb46c09e598ebf670ea78d.pdf
    • https://static.usrfiles.com/ugd/6cfc61_a985e391019d48beb81444597ea642d6.pdf
    • https://static.usrfiles.com/ugd/db1da1_300b1bfab40040a2a1d9361a19799377.pdf
    • https://cdn.shopify.com/s/files/1/0437/4708/2389/files/susuki.pdf
    • https://cdn.shopify.com/s/files/1/0465/1407/7854/files/goldfish_fact_sheet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000077d6.bin
738ca0ff7e1a92bf512cca2e9bfcd2c81e385c4e7248e8c7d893966a5babe90d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77D6 5372 bytes
font_01_sfnt_off00008a1c.bin
954119e41a76ee456ad4e4f08c1ae41e638c9f82f0192a07169e0f0de8400335		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A1C 10356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.