Malicious PDF — malware analysis report

Static analysis result for SHA-256 47ff42424509dcd6…

MALICIOUS

PDF

40.3 KB Created: 2020-08-21 20:08:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 73f1d5ce2d1b9db9a75bd47035a421d2 SHA-1: 41c56b0ea00a01e41f72dd4d42b5e67193ab8891 SHA-256: 47ff42424509dcd611049b98888883fbaba46d082a70b2f90aa16d1ff4243ea6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=examining+digit+place+values+common+core+sheets'. This indicates the document's primary purpose is to redirect the user to a potentially harmful site. Additionally, a PDF SEO link farm heuristic was triggered, suggesting the document is part of a larger effort to generate traffic or distribute content via numerous links, many hosted on Shopify. No scripts were extracted, but the embedded URLs and the nature of the heuristics strongly suggest a phishing or malware delivery attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=examining+digit+place+values+common+core+sheets
    • http://files.nicholasalfredo.com/uploads/1/3/0/7/130739693/2612642.pdf
    • http://files.montclairpsychicschool.com/uploads/1/3/0/9/130969543/c2d751f94f89d70.pdf
    • https://cdn.shopify.com/s/files/1/0436/0906/3582/files/3264767584.pdf
    • https://cdn.shopify.com/s/files/1/0428/9350/8771/files/46586631652.pdf
    • https://cdn.shopify.com/s/files/1/0457/8118/8774/files/takuma.pdf
    • https://cdn.shopify.com/s/files/1/0447/7501/4566/files/zexinedipivoxesul.pdf
    • https://cdn.shopify.com/s/files/1/0436/9245/8152/files/77091121448.pdf
    • https://cdn.shopify.com/s/files/1/0433/7437/9164/files/aashto_lrfd_8th_edition_download.pdf
    • https://cdn.shopify.com/s/files/1/0431/6377/9240/files/bimepe.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mowajuvide.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004100.bin
4d4ead9687820ec4e1e8e22009c2f4fc7e657e021787da95721d29cc9b73d217		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4100 5572 bytes
font_01_sfnt_off000053c4.bin
d4ed4897cac276ad8b4432568dbc6a6dc4e77cab6327dc0d74daf3897b35b229		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53C4 1704 bytes
font_02_sfnt_off00005c45.bin
d4ee9058d5b038d6817fb0eae6708832b210e735dd565fb7efee9d60114d5b1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C45 9944 bytes
font_03_sfnt_off00007e63.bin
2f4327e71332ec50a8853bbb0819e9ec20575883e77e582eeae36ba47425260e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E63 16268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.