Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f0793e49e43f22f…

MALICIOUS

PDF

45.5 KB Created: 2020-08-20 02:53:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 447a67e2f1f7dae96f9038520bc66437 SHA-1: f554fbdde88ce0a24a08b15b9f04dcdbc7584a28 SHA-256: 4f0793e49e43f22ffc2b82653af5e578963442aa6901eb960580857d62e82bd5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to external PDF files, suggesting a link farm or redirection strategy. One critical heuristic identified a link to a known malicious redirector, ttraff.ru, which is used in conjunction with the lure 'fiitjee lucknow answer key'. The document body, though heavily corrupted, also contains this URL and other PDF links. The primary attack pattern involves luring users through a deceptive document title to a malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=fiitjee+lucknow+answer+key
    • http://files.cementpros.ca/uploads/1/3/0/8/130813988/1835f.pdf
    • http://files.fchseagleband.com/uploads/1/3/0/7/130739073/3dd50.pdf
    • http://files.salinaseminarseries.com/uploads/1/3/2/3/132303226/15439c548129c4.pdf
    • https://cdn.shopify.com/s/files/1/0429/9299/2410/files/command_and_conquer_generals_cd_key.pdf
    • https://cdn.shopify.com/s/files/1/0438/0501/6226/files/diraruminitura.pdf
    • https://cdn.shopify.com/s/files/1/0431/2177/0656/files/2644340673.pdf
    • https://cdn.shopify.com/s/files/1/0432/5425/1670/files/dionysius_the_areopagite_theologia_mystica.pdf
    • https://cdn.shopify.com/s/files/1/0436/8983/6697/files/65995387783.pdf
    • https://cdn.shopify.com/s/files/1/0439/1020/1499/files/4165772315.pdf
    • https://cdn.shopify.com/s/files/1/0431/5349/0074/files/capitalismo_concorrencial_e_monopolista.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/punafaga.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d88.bin
b14b187c3c13d702e1ea6f30cd89dca5c48d4916ab723522b7be3b8ba9545177		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D88 5080 bytes
font_01_sfnt_off00006efc.bin
a412633fbe5d2eda2986a8c57ad8a0140cfd09186b1492c6e3ca23e882b09064		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EFC 10324 bytes
font_02_sfnt_off0000928c.bin
6c1612e668e532665ceafdcc38ae292478546bbe1098c27f3f131710edb92b8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x928C 6800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.