Malicious PDF — malware analysis report

Static analysis result for SHA-256 39775e6b76e9b10d…

MALICIOUS

PDF

46.8 KB Created: 2020-08-05 18:12:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7081e4b6c07921335c4750715fa9484a SHA-1: 54b09aa5e2cd454c79eeecafc2b96f7bc5a38c29 SHA-256: 39775e6b76e9b10d6b0b0517cffd6889118127e97b8e04d0b9ce7bffd6ef85f2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link that redirects to a malicious URL, disguised as a job application document. The PDF also contains a large number of external links, many hosted on Shopify, likely for SEO manipulation to improve search engine ranking for malicious content. The embedded URL 'https://ttraff.cc/pify?keyword=it+project+manager+cover+letter+pdf' is a known malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=it+project+manager+cover+letter+pdf
    • http://files.mikefraserphotography.co.uk/uploads/1/3/1/8/131857920/2b2a9b60c21347c.pdf
    • http://files.speakerpower.net/uploads/1/3/1/4/131406826/75a7a929836c.pdf
    • http://files.polesworthpoetrytrail.org/uploads/1/3/1/4/131438776/kugizoribati.pdf
    • http://files.faithmortimerauthor.com/uploads/1/3/0/8/130874141/4623097.pdf
    • https://cdn.shopify.com/s/files/1/0434/0688/5031/files/sewebi.pdf
    • https://cdn.shopify.com/s/files/1/0433/6277/9295/files/gosuruzad.pdf
    • https://cdn.shopify.com/s/files/1/0432/5467/7662/files/fotizinifidaxela.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/72518400380.pdf
    • https://cdn.shopify.com/s/files/1/0428/6706/4991/files/hebrew_bible_old_testament.pdf
    • https://cdn.shopify.com/s/files/1/0434/0531/2154/files/86740142946.pdf
    • https://cdn.shopify.com/s/files/1/0433/3672/8744/files/7301041983.pdf
    • https://cdn.shopify.com/s/files/1/0431/8704/4515/files/34343249855.pdf
    • https://cdn.shopify.com/s/files/1/0431/0876/1751/files/daduzaderizefovepo.pdf
    • https://cdn.shopify.com/s/files/1/0437/9534/9666/files/82335451326.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007681.bin
f48754950dcab7b76ea3a04616f972968f259d9f40f50a54cbb5b3defd770545		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7681 5368 bytes
font_01_sfnt_off000088bc.bin
4b4bee5119644dbc050d4c23e85f9073db9c476be3c31a003fa0f341c893ca50		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88BC 10944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.