Malicious PDF — malware analysis report

Static analysis result for SHA-256 38f0e7175b70d944…

MALICIOUS

PDF

34.1 KB Created: 2020-08-11 21:13:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fecaa0d36bd849c6e8f5b9e05a1375df SHA-1: 68d518b5ba313c01c66d8627e934b8f3c3394b40 SHA-256: 38f0e7175b70d9441969df92e0cbe6233d0ffbde47e5905627d7818fd3eca914
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/pify?keyword=eliciting+sounds+techniques+and+strategies+for+clinicians+pdf'. This indicates the document's primary purpose is to redirect users to malicious infrastructure. Additionally, a heuristic for a PDF link farm was triggered, suggesting a broader campaign of distributing malicious links via PDFs. No scripts were extracted, but the embedded URLs and heuristics strongly suggest a phishing or redirection attack.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=eliciting+sounds+techniques+and+strategies+for+clinicians+pdf
    • http://radukanu.mainesting.com/uploads/1/3/1/6/131606598/kefoze.pdf
    • http://files.thesturdybranch.com/uploads/1/3/1/1/131164153/watose.pdf
    • http://files.joiedevivresantafe.com/uploads/1/3/1/3/131381539/0cdfd79b1f6.pdf
    • https://cdn.shopify.com/s/files/1/0433/9807/0426/files/vilukerodevotani.pdf
    • https://cdn.shopify.com/s/files/1/0431/6784/2465/files/lixeruron.pdf
    • https://cdn.shopify.com/s/files/1/0434/2274/4741/files/34254617931.pdf
    • https://cdn.shopify.com/s/files/1/0429/1110/5191/files/reli_tours_japan_visa_application_form.pdf
    • https://cdn.shopify.com/s/files/1/0429/1395/6007/files/81700492883.pdf
    • https://cdn.shopify.com/s/files/1/0431/3006/0955/files/42472914888.pdf
    • https://cdn.shopify.com/s/files/1/0433/4796/8149/files/mivivuvosak.pdf
    • https://cdn.shopify.com/s/files/1/0441/4518/0824/files/astm_a240_type_304.pdf
    • https://cdn.shopify.com/s/files/1/0439/0807/1576/files/xadonowuvigojigabanizu.pdf
    • https://cdn.shopify.com/s/files/1/0431/6335/3244/files/53974991050.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004818.bin
0c81a31b7f8f431eb983e014260a22ed240a61ac266a44af76cd8462c7545d9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4818 5500 bytes
font_01_sfnt_off00005abd.bin
1c2b57a180819f801b56df51c09e4b5d5a960bd95f1ce273b9a395002fba7fbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5ABD 9532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.