Malicious PDF — malware analysis report

Static analysis result for SHA-256 39ef9af9b707f823…

MALICIOUS

PDF

39.0 KB Created: 2020-08-15 05:40:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3d740575d1b33128c688a593c07a9524 SHA-1: b8c6cf75f26ffda3e0d6b89ddb4f2c01e43c45df SHA-256: 39ef9af9b707f8234c1c03e2b132e816514d4569810b2fd03d983ebf227c27f4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1059.001 Command and Scripting Interpreter: PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/pify?keyword=odd+and+even+numbers+worksheets+pdf'. This indicates the document is designed to redirect users to malicious infrastructure. Additionally, a PDF link farm heuristic was triggered, suggesting a large number of outbound links, many hosted on cdn.shopify.com, likely for SEO manipulation to increase visibility. The document body contains garbled text but also includes the malicious URL and several Shopify-hosted PDF links, reinforcing the redirection attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=odd+and+even+numbers+worksheets+pdf
    • http://files.ctenbrinkphotography.com/uploads/1/3/1/6/131636951/3896809.pdf
    • http://files.michigancabincraft.com/uploads/1/3/0/8/130813516/xosepuni_miwuluw_melerosokudumax_zuzetux.pdf
    • http://files.weavefutures.com/uploads/1/3/0/9/130969059/kitejuwe-sifeze.pdf
    • https://cdn.shopify.com/s/files/1/0431/1787/1255/files/gafegoditap.pdf
    • https://cdn.shopify.com/s/files/1/0432/6529/4504/files/13273397310.pdf
    • https://cdn.shopify.com/s/files/1/0438/0524/5597/files/tallentex_answer_key_2020.pdf
    • https://cdn.shopify.com/s/files/1/0435/6092/7393/files/is_voicemeeter_safe.pdf
    • https://cdn.shopify.com/s/files/1/0434/5122/0120/files/backbone_design_in_computer_network.pdf
    • https://cdn.shopify.com/s/files/1/0430/8231/7975/files/vexakulus.pdf
    • https://cdn.shopify.com/s/files/1/0428/1732/3175/files/45498891703.pdf
    • https://cdn.shopify.com/s/files/1/0430/7537/1159/files/48236503594.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005997.bin
ed2154cfaafe72c84ccdc5b524040e038dd4a794fd1ffdb01b39b90f51cf6672		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5997 5632 bytes
font_01_sfnt_off00006ca1.bin
3f821765c4d0a8f60faa1e7733f01097f0859a413b7597f776a91ad0bfcad751		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CA1 10132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.