Malicious PDF — malware analysis report

Static analysis result for SHA-256 45af54e795a7e2eb…

MALICIOUS

PDF

40.0 KB Created: 2020-08-30 21:42:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 70bc1c815aefff2f25f0375825380323 SHA-1: 0de4d9a1fe443b1a0f309d713e8c6ffdb900f1b2 SHA-256: 45af54e795a7e2ebe28e624ea54be879532ea897225d0f3a1db907ca890a21d3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-in T1059.001 PowerShell

The PDF file contains a critical heuristic indicating it links to known malicious redirector infrastructure. The embedded URL, 'https://ttraff.com/wix?keyword=conjunction+exercise+with+answers+for+class+6', is identified as a malicious redirector. Additionally, the PDF hosts a large number of external links, many pointing to Shopify domains, suggesting a link farm or SEO manipulation tactic to obscure the malicious destination. No scripts were extracted, but the primary attack vector appears to be social engineering via a deceptive link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=conjunction+exercise+with+answers+for+class+6
    • https://cdn.shopify.com/s/files/1/0435/9133/6099/files/as_artimanhas_da_excluso_social.pdf
    • https://cdn.shopify.com/s/files/1/0434/2333/4565/files/50885219366.pdf
    • https://cdn.shopify.com/s/files/1/0431/2426/1026/files/43397378038.pdf
    • https://cdn.shopify.com/s/files/1/0428/1437/4047/files/781295383.pdf
    • https://cdn.shopify.com/s/files/1/0437/0916/9815/files/44864940638.pdf
    • https://static.usrfiles.com/ugd/c0fca2_942be6ce6faf4693bd8fafb715a04021.pdf
    • https://static.usrfiles.com/ugd/b8c837_8cfe5a9e99e744bb962bd9832dc66cee.pdf
    • https://static.usrfiles.com/ugd/b8c837_3d3eb8c9cf294477bd1a2e232c109eff.pdf
    • https://static.usrfiles.com/ugd/493135_96518868d70c430e802a13261ea725eb.pdf
    • https://static.usrfiles.com/ugd/b8c837_a9789247974e447ba1fc982efcc949e2.pdf
    • https://cdn.shopify.com/s/files/1/0434/5259/6374/files/82090426008.pdf
    • https://cdn.shopify.com/s/files/1/0439/4539/4331/files/doxodazexokedosivat.pdf
    • https://cdn.shopify.com/s/files/1/0431/3369/8209/files/12588748381.pdf
    • https://cdn.shopify.com/s/files/1/0437/5353/7690/files/free_of_telegram_for_windows_10.pdf
    • https://cdn.shopify.com/s/files/1/0435/2580/0087/files/pamixopivaku.pdf
    • https://cdn.shopify.com/s/files/1/0431/7003/7917/files/sapezemotibelaboguwiwa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e59.bin
557b5de18fedb77bb304f455f6ab2852d16dbb4cfff8677e70c885f784c2c5cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E59 5264 bytes
font_01_sfnt_off00007055.bin
752646d3c6dc4a42fabda872ae51b906eaeb05e9a65c45235ab7d0c078e183f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7055 9980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.