Malicious PDF — malware analysis report

Static analysis result for SHA-256 35f16b82a6d440b1…

MALICIOUS

PDF

56.0 KB Created: 2020-08-30 01:52:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 923d18b52a6633c008e5ba9dd665b503 SHA-1: dae56df2c83aa3ddd33e8ed5855ffc1cbede072f SHA-256: 35f16b82a6d440b19e71bb2a9e8faec18ecd835f16625ccff5e6c71a85840b47
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with one identified as a malicious redirector pointing to 'https://ttraff.com/wix?keyword=linux+guide+to+linux+certification'. This suggests a phishing or scam attempt, using the guise of a 'Linux guide to Linux certification' to entice clicks. The file also exhibits characteristics of a link farm, with many external PDF links, further supporting the malicious intent of driving traffic to potentially harmful sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=linux+guide+to+linux+certification
    • https://static.usrfiles.com/ugd/b8c837_396629ec99d94ffd808ba9b983161948.pdf
    • https://static.usrfiles.com/ugd/54fa57_110fa4b12bc64c3aa6e50feb2a2859b4.pdf
    • https://static.usrfiles.com/ugd/b88e3d_c2caad437c03481dbc8c672438d41d18.pdf
    • https://static.usrfiles.com/ugd/5fd5c1_a3593fe634a842238702a31240ff7f04.pdf
    • https://static.usrfiles.com/ugd/b8c837_8ccab66bbe3a4a7c8b252fca15e89c60.pdf
    • https://static.usrfiles.com/ugd/b8c837_99fe961d527c40e48348b34a240f6a04.pdf
    • https://static.usrfiles.com/ugd/136d07_98ddfdf1a1d0469d88b875b314c3dc1b.pdf
    • https://static.usrfiles.com/ugd/40b9e6_384606936eb949c7894a502ef50e93be.pdf
    • https://cdn.shopify.com/s/files/1/0440/7758/0453/files/ffxiv_kagerou_overlay.pdf
    • https://cdn.shopify.com/s/files/1/0435/6361/4369/files/91202262887.pdf
    • https://cdn.shopify.com/s/files/1/0437/6543/2477/files/72825524323.pdf
    • https://cdn.shopify.com/s/files/1/0436/3301/6982/files/73592170048.pdf
    • https://cdn.shopify.com/s/files/1/0432/8272/7067/files/wamojaxowinujajefi.pdf
    • https://cdn.shopify.com/s/files/1/0433/7372/3800/files/calcul_amortissement_linaire.pdf
    • https://cdn.shopify.com/s/files/1/0435/3956/2651/files/bijokugasuboxezurojenowuf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009c46.bin
759649dd6c3ef0efc32a339f4f4b810c46be3630cd52102ac4317bcc46a981c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C46 5020 bytes
font_01_sfnt_off0000ad6c.bin
fb45291777fc36644ac96732af2980f26769fd21a8b67918b991a927219f9cee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAD6C 11008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.