Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d390ca5d777f7c9…

MALICIOUS

PDF

42.9 KB Created: 2020-08-09 14:09:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8f5c51ba6cd64c30e05d0d6cd1378100 SHA-1: 47a94d54ace11a3f04d855edbe3aa767340acf95 SHA-256: 4d390ca5d777f7c9d821d1ac47e322eb92d462f705eb2c1b85a617148b2b5ec7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm and a redirector to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK and PDF_SEO_LINK_FARM heuristics. The document body text and embedded URLs suggest a lure for downloading a PDF, which ultimately leads to the ttraff.com redirector. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=surah+yaseen+pdf+file+download
    • http://files.jodiclarkecounseling.com/uploads/1/3/0/7/130776458/2f9460fb2e1.pdf
    • http://files.goldsheen-sapphires.com/uploads/1/3/1/4/131482878/d2785046256.pdf
    • http://najan.deltank.com/uploads/1/3/0/7/130776485/xafafal.pdf
    • https://cdn.shopify.com/s/files/1/0435/3772/7637/files/35778089318.pdf
    • https://cdn.shopify.com/s/files/1/0439/5030/9531/files/4018366534.pdf
    • https://cdn.shopify.com/s/files/1/0428/6958/8127/files/dedugefijareduj.pdf
    • https://cdn.shopify.com/s/files/1/0436/6431/0425/files/vinolufagijemawunan.pdf
    • https://cdn.shopify.com/s/files/1/0430/8919/9268/files/burenatefofuvunozapowi.pdf
    • https://cdn.shopify.com/s/files/1/0428/2518/7491/files/puvuloluwor.pdf
    • https://cdn.shopify.com/s/files/1/0437/8266/8437/files/58571233531.pdf
    • https://cdn.shopify.com/s/files/1/0428/5438/3782/files/fipevinuxusozusilutu.pdf
    • https://cdn.shopify.com/s/files/1/0428/4504/4892/files/43485847335.pdf
    • https://cdn.shopify.com/s/files/1/0429/4138/2812/files/wexunepe.pdf
    • https://cdn.shopify.com/s/files/1/0430/7045/5957/files/kekeponanelugabobakoweni.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004680.bin
13b8100126eb752668a768f0df57153ad38c1e7739062461c637f07c3ce1b89f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4680 5228 bytes
font_01_sfnt_off00005847.bin
9e5e59e1e7724ee4ff187ba9d4f13eee261612962139c7053d98c3780cbfe6ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5847 9160 bytes
font_02_sfnt_off000077b4.bin
6f5c9e0c16f5ca363f97e6ffc861f9a633ef8bd3d72d0cbf25f195d5db01fb91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77B4 17180 bytes
font_03_sfnt_off00009034.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9034 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.