Malicious PDF — malware analysis report

Static analysis result for SHA-256 46725d9a7c61d81c…

MALICIOUS

PDF

50.8 KB Created: 2020-08-20 05:07:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bba1e96ff5a50dbd6dfa6225759f871d SHA-1: 1ed954be4870ba602b4df8d284a44328442127be SHA-256: 46725d9a7c61d81caf28cedbe19b37be7498f1e7cc2c9fa69dd4fcfeeebdfb43
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as a download button, aiming to lure users to a malicious site. The document body contains obfuscated text and the URL 'https://ttraff.com/pify?keyword=solapur+talathi+exam+hall+ticket+2019' is flagged as a known malicious redirector. The PDF also hosts a large number of external links, many pointing to Shopify, suggesting a link farm for SEO poisoning.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=solapur+talathi+exam+hall+ticket+2019
    • http://files.zanesmithmusic.com/uploads/1/3/1/6/131607363/1266591.pdf
    • https://cdn.shopify.com/s/files/1/0435/2373/5720/files/linijijolifoforudokegol.pdf
    • https://cdn.shopify.com/s/files/1/0430/6495/0945/files/viwubawegajigexufigotijud.pdf
    • https://cdn.shopify.com/s/files/1/0429/4190/7110/files/62084987282.pdf
    • https://cdn.shopify.com/s/files/1/0433/9780/8285/files/49690871545.pdf
    • https://cdn.shopify.com/s/files/1/0428/0310/1863/files/19752411116.pdf
    • https://cdn.shopify.com/s/files/1/0429/5809/4495/files/pufoxegomusanulewa.pdf
    • https://cdn.shopify.com/s/files/1/0429/5789/7882/files/project_monitoring_and_evaluation_framework.pdf
    • https://cdn.shopify.com/s/files/1/0437/6189/3534/files/vehicle_damage_check_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0434/6111/6064/files/torewemikagitidazoveg.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007171.bin
1f44bd2015953988d0d5de66b86e29f538a12ac19548206d1ad9b2a2dc22b939		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7171 5712 bytes
font_01_sfnt_off000084cc.bin
41d531a389ca9034ed861b7e1cfbbfa01cdb284d06fd72b5e92ff0bef3ac8efc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84CC 13520 bytes
font_02_sfnt_off0000af49.bin
bb0fd43b885b75773d597fe2a11e69ea0576453efbd41377c89160621b4e1ddc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF49 4044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.