Malicious PDF — malware analysis report

Static analysis result for SHA-256 39f88f6b63cdb1be…

MALICIOUS

PDF

64.7 KB Created: 2020-08-09 11:05:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 93b5cfdcb8c8f4648c8b02b5d3c48bae SHA-1: dd5404106ed32726d065229a6c6e26e634d4e5c5 SHA-256: 39f88f6b63cdb1beda39529094ad6e80984188ece7ffd9f9d3fb6e35d4d065fd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to appear as legitimate research papers, but the primary link redirects to a known malicious domain (ttraff.com). This indicates a social engineering tactic to lure users to a malicious site. The PDF structure and embedded links suggest a downloader or redirector pattern, likely leading to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=ectomycorrhizae+and+endomycorrhizae+pdf
    • http://files.millerpac.com/uploads/1/3/2/8/132814518/da7d963.pdf
    • http://nojujumo.triulta.com/uploads/1/3/1/4/131453194/8216204.pdf
    • http://files.fbcpc.us/uploads/1/3/1/3/131379899/judoderowirugiwom.pdf
    • https://cdn.shopify.com/s/files/1/0434/9739/0244/files/37670670949.pdf
    • https://cdn.shopify.com/s/files/1/0437/9040/1687/files/jofonav.pdf
    • https://cdn.shopify.com/s/files/1/0435/4650/9461/files/so_this_is_christmas_lyrics.pdf
    • https://cdn.shopify.com/s/files/1/0432/5300/6494/files/64743316162.pdf
    • https://cdn.shopify.com/s/files/1/0438/1949/9682/files/99274690626.pdf
    • https://cdn.shopify.com/s/files/1/0429/4829/6857/files/bhagavad_gita_chapter_8_slokas_in_sanskrit.pdf
    • https://cdn.shopify.com/s/files/1/0436/2423/5170/files/98437608061.pdf
    • https://cdn.shopify.com/s/files/1/0431/8475/0741/files/43116244911.pdf
    • https://cdn.shopify.com/s/files/1/0430/8752/8103/files/71459385483.pdf
    • https://cdn.shopify.com/s/files/1/0441/1208/5144/files/povegawatefanufavusadib.pdf
    • https://cdn.shopify.com/s/files/1/0434/2225/3208/files/ccna_course_arabic.pdf
    • https://cdn.shopify.com/s/files/1/0428/5143/4659/files/mawozedasimubexezapod.pdf
    • https://cdn.shopify.com/s/files/1/0439/1396/9819/files/minecraft_account_username_and_passwords.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bb74.bin
c2e29711a707600048f560fea6af4489432ec13f4fc0eef8255b16124790654c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBB74 5296 bytes
font_01_sfnt_off0000cd66.bin
85b5e71c9b37f457a87904dd41da7805fdbc9c0f90535a6c90c7f1b15e3aff42		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCD66 11876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.