Malicious PDF — malware analysis report

Static analysis result for SHA-256 39e0f81f0a411530…

MALICIOUS

PDF

42.9 KB Created: 2020-08-22 18:10:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 47905b0fa4bb1575da832ba7bc639440 SHA-1: 2bf2cf83c54101b21f55504c987c354cd2c416ac SHA-256: 39e0f81f0a4115307660b45f26d66f986a1d098f0388558c15e55b8211c2e6d5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link disguised as a worksheet, which redirects to a known malicious URL. The PDF also exhibits characteristics of a link farm, with numerous embedded links pointing to various external resources, many of which are hosted on Shopify. The primary malicious link identified is 'https://ttraff.cc/pify?keyword=fraction+word+problems+multiplication+and+division+worksheet', which is flagged as a malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=fraction+word+problems+multiplication+and+division+worksheet
    • http://files.glummonkey.com/uploads/1/3/0/8/130813461/janupimefobapigedeg.pdf
    • http://zajumasug.adventist-mission-philippines.com/uploads/1/3/1/4/131453177/xuwoxonutimuwis-xumuvosotifazit-dobojanitizet.pdf
    • http://buwidod.autumnmeadowco.com/uploads/1/3/0/8/130874633/kamedilafosogo_vozem_vavamawudizi_xibubamirox.pdf
    • http://sevufejox.isabellexing.com/uploads/1/3/1/6/131636725/a7fd16dd.pdf
    • https://cdn.shopify.com/s/files/1/0432/0470/6464/files/vibiborajutimenedamirazaw.pdf
    • https://cdn.shopify.com/s/files/1/0440/4396/0485/files/sukinamul.pdf
    • https://cdn.shopify.com/s/files/1/0428/7689/5398/files/php_global_variable.pdf
    • https://cdn.shopify.com/s/files/1/0428/2623/6063/files/99688451120.pdf
    • https://cdn.shopify.com/s/files/1/0434/5790/4792/files/zuriwelixenetopolifexu.pdf
    • https://cdn.shopify.com/s/files/1/0434/4374/9029/files/bestand_samenvoegen.pdf
    • https://cdn.shopify.com/s/files/1/0463/0570/6146/files/gdpr_gap_analysis_report_template.pdf
    • https://cdn.shopify.com/s/files/1/0434/6108/3301/files/beholden_to_the_throne.pdf
    • https://cdn.shopify.com/s/files/1/0434/4718/9670/files/96442098628.pdf
    • https://cdn.shopify.com/s/files/1/0429/3391/1705/files/kivirarilevugojomitaju.pdf
    • https://cdn.shopify.com/s/files/1/0439/8225/8334/files/61370758909.pdf
    • https://cdn.shopify.com/s/files/1/0430/7176/6690/files/godepibupulani.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006874.bin
25d42557fe08cbd92ea47c046ccd2c9437a5813c18a41baf51832d3d40f97d46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6874 5624 bytes
font_01_sfnt_off00007b75.bin
f517db265eb6b1fe61184673c92e80cb7bcd4b8c89295303b58adf1286f8b723		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B75 10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.