Malicious PDF — malware analysis report

Static analysis result for SHA-256 46f2670f00318e32…

MALICIOUS

PDF

51.8 KB Created: 2020-08-15 05:34:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3bbf0aed356e3941b9e56e8ec663613e SHA-1: f1015a3056122ebaead979f17923a4c133bf464c SHA-256: 46f2670f00318e327ff9b224bc905f2cbcafbefffba41466e379420b95dfebfd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.cc/pify?keyword=hard+football+quiz+with+answers', is designed to lure users to malicious infrastructure. The document also contains a large number of embedded links, many pointing to Shopify domains, suggesting a link farm or SEO poisoning tactic to distribute the malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=hard+football+quiz+with+answers
    • http://files.americanmelodrama.com/uploads/1/3/2/7/132712080/9159600.pdf
    • http://files.msgarciaslaterk.com/uploads/1/3/1/3/131383580/fojononukogeka.pdf
    • https://cdn.shopify.com/s/files/1/0436/1004/6621/files/padma_shri_award_2020.pdf
    • https://cdn.shopify.com/s/files/1/0429/2254/1209/files/tades.pdf
    • https://cdn.shopify.com/s/files/1/0432/8030/2240/files/55902007969.pdf
    • https://cdn.shopify.com/s/files/1/0429/7365/9292/files/23508359505.pdf
    • https://cdn.shopify.com/s/files/1/0438/4771/2928/files/android_10_xiaomi_redmi_note_8_pro.pdf
    • https://cdn.shopify.com/s/files/1/0431/6377/9240/files/40775329380.pdf
    • https://cdn.shopify.com/s/files/1/0435/4395/3563/files/kirby_table_flip.pdf
    • https://cdn.shopify.com/s/files/1/0436/1981/1490/files/54085980813.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tovaje.pdf
    • https://cdn.shopify.com/s/files/1/0433/5999/4014/files/annexure_e1_for_hssc.pdf
    • https://cdn.shopify.com/s/files/1/0435/0646/6982/files/bring_up_genius_english.pdf
    • https://cdn.shopify.com/s/files/1/0429/3863/0300/files/sign_and_send_pubkey_signing_failed_agent_refused_operation.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000084dc.bin
38782bd04c1768c6ed9e0cfa52a00381683547bf80ad8028bde0c4d47cdbb1d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84DC 5364 bytes
font_01_sfnt_off00009728.bin
a91f0de5aff2548fd927f1fb54a6bd30f1d91636185882e85fe82092ed6531af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9728 13952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.