Malicious PDF — malware analysis report

Static analysis result for SHA-256 354a1ea1738b21a3…

MALICIOUS

PDF

54.7 KB Created: 2020-08-23 19:47:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82536835f69fdb498a60fb9fe0755926 SHA-1: 79beeb4f16c99e4e137c973f3f306ec2481284e5 SHA-256: 354a1ea1738b21a346402657a6ba705aa91294f531445a0edef66c1be378af7b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded links, with one pointing to a known malicious redirector (ttraff.com). The heuristic PDF_SEO_LINK_FARM indicates a large number of external PDF links, suggesting an attempt to manipulate search engine results or distribute content from various sources. The presence of the malicious redirector URL is the primary indicator of malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=eu4+center+of+reformation
    • http://files.standrewsnl.org/uploads/1/3/0/8/130874339/fiwarizepusi.pdf
    • https://cdn.shopify.com/s/files/1/0432/3927/6699/files/ode_to_joy_chords.pdf
    • https://cdn.shopify.com/s/files/1/0430/6727/7469/files/85966492648.pdf
    • https://cdn.shopify.com/s/files/1/0439/2330/8712/files/autocad_frame_variable.pdf
    • https://cdn.shopify.com/s/files/1/0431/6522/1028/files/bidilobamapovunuji.pdf
    • https://cdn.shopify.com/s/files/1/0429/3004/5091/files/general_mathematics_book.pdf
    • https://cdn.shopify.com/s/files/1/0431/3314/1149/files/adventism_in_zambia_by_matandiko.pdf
    • https://cdn.shopify.com/s/files/1/0428/5644/8167/files/1550630643.pdf
    • https://cdn.shopify.com/s/files/1/0452/1220/5216/files/76703650916.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009b06.bin
baa58f056e74f76074eccf9d7b1a896c734b7ffb871ff81057609a732bdc4143		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B06 4864 bytes
font_01_sfnt_off0000ab7a.bin
2423a41621d9eb9435d3d84e05f38d791faafe1650fbc2d8a00c027b4803e993		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB7A 10348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.