Malicious PDF — malware analysis report

Static analysis result for SHA-256 38ee1c303d53960f…

MALICIOUS

PDF

57.2 KB Created: 2020-08-21 22:47:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 923d5da043c272b581ad740f9f68c9ec SHA-1: 4787e76e7e272e3b26554a914eacc67da1e050f8 SHA-256: 38ee1c303d53960fa72e2c3f7858bd388383fe886865bb8acc467bfbe01f11fa
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, identified as a link farm. The primary malicious link, https://ttraff.com/pify?keyword=prise+d%2527+otage+de+beslan+reportage, is a redirector. The document body, though heavily obfuscated, appears to contain text related to the 'prise d'otage de beslan reportage' and the malicious URL, suggesting a lure to entice users to click the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=prise+d%2527+otage+de+beslan+reportage
    • http://files.hunterdonchurch.org/uploads/1/3/0/9/130969057/lanajukomefibo_budukovirudola_rogoperabuj_menabeg.pdf
    • http://files.messianiclaw.com/uploads/1/3/1/4/131437671/96b168b8553fddc.pdf
    • http://files.setthestagecostumesprops.com/uploads/1/3/0/7/130775011/voxubozakudukugabub.pdf
    • http://files.maxstrength.org/uploads/1/3/1/4/131453221/aca04ed27748d3.pdf
    • https://cdn.shopify.com/s/files/1/0438/2952/6690/files/55631339580.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/texirid.pdf
    • https://cdn.shopify.com/s/files/1/0439/3467/9208/files/todos_los_tipos_de_anemias.pdf
    • https://cdn.shopify.com/s/files/1/0428/9318/1095/files/angularjs_read_file.pdf
    • https://cdn.shopify.com/s/files/1/0429/7441/2949/files/71683957953.pdf
    • https://cdn.shopify.com/s/files/1/0429/4259/5239/files/tovizifavumutojafadagidug.pdf
    • https://cdn.shopify.com/s/files/1/0431/1826/4469/files/15324205887.pdf
    • https://cdn.shopify.com/s/files/1/0434/2261/3669/files/yo_whatsapp_apk_old_version.pdf
    • https://cdn.shopify.com/s/files/1/0435/7003/6904/files/ap_computer_science_book.pdf
    • https://cdn.shopify.com/s/files/1/0432/6942/3269/files/85163241444.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009cf3.bin
101fd85d2057f5310c87f94f169197dd43e11fc2110500e527f37fd5b6cac4bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9CF3 5300 bytes
font_01_sfnt_off0000af02.bin
9d383e9aa776664008a6af74e1526bc4cd14426e75816e7a3914aa16c2c897ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF02 12512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.