Malicious PDF — malware analysis report

Static analysis result for SHA-256 52a3e9fa3eb9e4ca…

MALICIOUS

PDF

45.0 KB Created: 2020-07-30 18:58:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 53cf3e8147803f569325ed712b90ca8a SHA-1: 46b413d9686bf1a787af5f9a8abbd11076e7d804 SHA-256: 52a3e9fa3eb9e4cacf28b0d5e0e258ae846b74bad6c4739a730f045e957f2cd3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, which is further supported by the presence of a PDF link farm. The primary malicious URL identified is https://ttraff.cc/pify?keyword=ssc+chsl+result+2020+tier+1+pdf+download. While many other Shopify links were extracted, one is flagged as the start of the link farm. The document body appears to be obfuscated or corrupted, preventing a deeper analysis of its content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=ssc+chsl+result+2020+tier+1+pdf+download
    • http://files.milepost0creative.com/uploads/1/3/1/3/131380177/tevebi.pdf
    • http://files.knuckleswhiterock.com/uploads/1/3/2/6/132695472/d6e1229b.pdf
    • http://files.landofosllc.net/uploads/1/3/1/0/131071114/7151525.pdf
    • http://files.mariaillustrations.com/uploads/1/3/2/6/132681931/86f4c9bb8.pdf
    • http://files.pmehs.com/uploads/1/3/0/7/130776611/likuwor.pdf
    • https://cdn.shopify.com/s/files/1/0434/0737/6546/files/fukimoguju.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/78476378890.pdf
    • https://cdn.shopify.com/s/files/1/0430/6213/2897/files/wodumarodikoziwuwa.pdf
    • https://cdn.shopify.com/s/files/1/0434/2926/5574/files/xudedowijixajipumira.pdf
    • https://cdn.shopify.com/s/files/1/0429/2512/9891/files/52089533561.pdf
    • https://cdn.shopify.com/s/files/1/0429/8702/8641/files/9761140520.pdf
    • https://cdn.shopify.com/s/files/1/0440/7207/5414/files/72565182589.pdf
    • https://cdn.shopify.com/s/files/1/0433/9341/7366/files/xijirimeru.pdf
    • https://cdn.shopify.com/s/files/1/0430/0704/9877/files/poxolik.pdf
    • https://cdn.shopify.com/s/files/1/0429/2889/8211/files/9643235942.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000070cc.bin
92f7298751784c992e2ac0a130e0f133a35aec76bfb74e83b82fb549b088f0fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70CC 5648 bytes
font_01_sfnt_off0000840a.bin
fbb519cadd94a6a94a4b9f2111d6a0f736bedd6e69024691185c834c5f4f6135		 pdf-font-stream PDF embedded font (sfnt) at offset 0x840A 10276 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.