Malicious PDF — malware analysis report

Static analysis result for SHA-256 4af38a1d311206c1…

MALICIOUS

PDF

39.7 KB Created: 2020-09-02 23:32:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7fdc0c35de1f909166244204fa89ce59 SHA-1: 255cb0835b977e2f075b2a4d01d99aa6feccc035 SHA-256: 4af38a1d311206c16d0c8027ec9f3b9fb5710c955471344fcd44d35942d7be40
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The primary malicious URL identified is https://ttraff.link/wix?keyword=formation+ergoth%25C3%25A9rapie+universit%25C3%25A9+de+montr%25C3%25A9al, which is likely used to lure victims to a malicious site. The document body, though heavily obfuscated, also contains this URL and other links to external PDFs, suggesting a link farm or redirection strategy.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=formation+ergoth%25C3%25A9rapie+universit%25C3%25A9+de+montr%25C3%25A9al
    • https://cdn.shopify.com/s/files/1/0437/7565/6097/files/african_countries_and_capital_cities.pdf
    • https://cdn.shopify.com/s/files/1/0430/8205/5842/files/18180894527.pdf
    • https://cdn.shopify.com/s/files/1/0433/6697/3598/files/99775542333.pdf
    • https://cdn.shopify.com/s/files/1/0434/5410/3713/files/12724768767.pdf
    • https://static.usrfiles.com/ugd/451461_019aa96cdee543d6bb85d495887dd471.pdf
    • https://static.usrfiles.com/ugd/3aca14_ecde3484d93e458bb31f3fd3d9b91dc4.pdf
    • https://static.usrfiles.com/ugd/739437_ab96fc524c284516badff218d2cbced2.pdf
    • https://static.usrfiles.com/ugd/83b1b3_5f29af1a1d8f49eba0e20603f2c20736.pdf
    • https://static.usrfiles.com/ugd/b8c837_790f5b5790084de09fb769b98c727ceb.pdf
    • https://static.usrfiles.com/ugd/b8c837_34b81b2833fc441aafdca4b7fd7019ea.pdf
    • https://cdn.shopify.com/s/files/1/0430/6649/1042/files/tubonatazarefa.pdf
    • https://cdn.shopify.com/s/files/1/0461/9465/5390/files/nilomu.pdf
    • https://cdn.shopify.com/s/files/1/0428/7181/6358/files/65668280871.pdf
    • https://cdn.shopify.com/s/files/1/0437/2054/0310/files/mejogasam.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000059f1.bin
d422327df55481793ecef1aead3a639e596298b8800b8a986326935ada068aaa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59F1 5528 bytes
font_01_sfnt_off00006c51.bin
abd21afccecf812ffdd58ae8d2213fdf942c3cb840d9deadfabe1e03b76da17e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C51 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.