Malicious PDF — malware analysis report

Static analysis result for SHA-256 322d56600086a518…

MALICIOUS

PDF

73.1 KB Created: 2020-08-07 08:50:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5eec79cf320dd082f3c335c4841f0548 SHA-1: 081c60771c715fc740dcdfc86503cf6d7536917f SHA-256: 322d56600086a518e3a3124d4bf4fba3a946f7ee0fc5cd42424e757ee4e422c1
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains embedded JavaScript and multiple external links, with a critical heuristic identifying a malicious redirector. The primary malicious link, 'https://ttraff.cc/pify?keyword=california+dmv+vehicle+transfer+form+pdf', is presented as a vehicle transfer form, indicating a phishing or malware delivery attempt. The document body, though heavily obfuscated, also contains this URL, reinforcing the malicious intent. No specific malware family could be identified.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=california+dmv+vehicle+transfer+form+pdf
    • http://kunapus.ras.saintleoresidencelife.com/uploads/1/3/1/4/131438216/9980825.pdf
    • http://files.seizediem.com/uploads/1/3/1/4/131438741/vewim_gifesimefipotu.pdf
    • http://files.mrbroviak.com/uploads/1/3/1/4/131408581/legijodifot.pdf
    • https://cdn.shopify.com/s/files/1/0433/3889/1419/files/58973226578.pdf
    • https://cdn.shopify.com/s/files/1/0434/8333/2772/files/understanding_psychology_by_feldman_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0429/0645/2127/files/44465570685.pdf
    • https://cdn.shopify.com/s/files/1/0440/8439/6184/files/vce_to_converter_online_android.pdf
    • https://cdn.shopify.com/s/files/1/0431/0922/0501/files/77244942720.pdf
    • https://cdn.shopify.com/s/files/1/0430/8946/1410/files/gizaboxutugipikiso.pdf
    • https://cdn.shopify.com/s/files/1/0435/7003/6904/files/cdma_technology.pdf
    • https://cdn.shopify.com/s/files/1/0438/2703/6322/files/53350782299.pdf
    • https://cdn.shopify.com/s/files/1/0433/8168/6437/files/pekokudisaxuboj.pdf
    • https://cdn.shopify.com/s/files/1/0429/2398/3001/files/60527817319.pdf
    • https://cdn.shopify.com/s/files/1/0428/2109/1484/files/8487702682.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000976c.bin
d9c7132e9f494079468a6fe769e181eb4be38376f04e12fde1201a00537f54e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x976C 6176 bytes
font_01_sfnt_off0000acf5.bin
93b87bf90622c6f978030c735e64a226fe8a1cdbe1669574185049e9322a7d63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xACF5 5360 bytes
font_02_sfnt_off0000bf0a.bin
b91f3c26f37c28538ed09035cbea6f9221827f1e30b50c452f08cc820bcc167b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBF0A 3720 bytes
font_03_sfnt_off0000ca6c.bin
bf97db2bebee5517333433751778031d74667d12359cc41808f984631a2d2789		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCA6C 4400 bytes
font_04_sfnt_off0000db23.bin
3785b14762c746249b35f73715bef8df84565f4b48d5b66e109419422767e79a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB23 12804 bytes
font_05_sfnt_off0001047b.bin
2a8272f1806dea2b295556caff9ff033daf9b494432ebfe85305e2663f7dd952		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1047B 4584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.