Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b27ceffdda9682c…

MALICIOUS

PDF

44.7 KB Created: 2020-08-10 05:28:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 70b03b1caa16bc4be4e0484ab9c391a0 SHA-1: 28cea421dffa321a5a73323ae6c09b4796166f61 SHA-256: 4b27ceffdda9682ccaa05042ffeeb3754cc7e479a28a2cddb6e17cf853b2d618
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one specifically pointing to a known malicious redirector. The document body, though partially corrupted, indicates a lure related to '4th grade math word problems worksheet pdf'. The presence of numerous external PDF links, many hosted on Shopify, suggests a link farm or SEO poisoning attempt to distribute malicious content. The primary malicious URL identified is ttraff.com.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=4th+grade+math+word+problems+worksheet+pdf
    • http://files.nuyounutrition.com/uploads/1/3/2/6/132681617/xugekoda-wurefubozaganaf.pdf
    • http://files.alanurbanhomes.com/uploads/1/3/2/6/132696104/1120979.pdf
    • http://molasaj.waywardcompass.com/uploads/1/3/1/4/131438641/kanutor-verabuwo.pdf
    • http://files.cedarviewbaptist.com/uploads/1/3/1/4/131408103/2324900.pdf
    • https://cdn.shopify.com/s/files/1/0433/6300/8661/files/54224393918.pdf
    • https://cdn.shopify.com/s/files/1/0433/0107/7142/files/suwaruzol.pdf
    • https://cdn.shopify.com/s/files/1/0432/6280/4136/files/bowab.pdf
    • https://cdn.shopify.com/s/files/1/0447/4611/3173/files/sir_arthur_conan_doyle_sherlock_holmes.pdf
    • https://cdn.shopify.com/s/files/1/0435/9720/1567/files/edema_agudo_pulmonar_pediatria.pdf
    • https://cdn.shopify.com/s/files/1/0432/4445/4051/files/acer_aspire_one_d250_service_manual.pdf
    • https://cdn.shopify.com/s/files/1/0433/3358/2998/files/97851715296.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/30553092986.pdf
    • https://cdn.shopify.com/s/files/1/0434/6563/8050/files/tatogezezozobaveku.pdf
    • https://cdn.shopify.com/s/files/1/0439/7613/0718/files/customer_behavior_analysis.pdf
    • https://cdn.shopify.com/s/files/1/0435/3956/2651/files/49687046118.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000070c4.bin
38d1fa478a3cba5d6096f7ce5513b17d28cabb4096e4de4e5e7475b671bec2d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70C4 5744 bytes
font_01_sfnt_off00008434.bin
a2f844f1478b86698bc016aeaa7bd1364906020a6e1f18146d925666b012de54		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8434 9772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.