Malicious PDF — malware analysis report

Static analysis result for SHA-256 5515fa84f17160fa…

MALICIOUS

PDF

61.8 KB Created: 2020-08-22 14:15:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 673820b123966209eaec9008df232426 SHA-1: 6303a9174feb76407822aa5096268c31e235c13d SHA-256: 5515fa84f17160fa58ff2b7a14a01438a2bd97aa3cc0ee1c9623cea1fc3c72d7
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a large number of external links, many hosted on Shopify, which is indicative of a link farm. One of the primary links, 'https://ttraff.cc/pify?keyword=ilr+employer+absence+letter+template', points to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains text related to an 'Ilr employer absence letter template' and the creation date suggests it was generated by wkhtmltopdf, a tool often used to create malicious PDFs. The presence of a malicious redirector strongly suggests a phishing or malware distribution attempt.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=ilr+employer+absence+letter+template
    • http://vunet.matthew-j.com/uploads/1/3/1/4/131453060/7763977.pdf
    • http://files.tommusgrove.com/uploads/1/3/1/4/131437074/nogetenul.pdf
    • http://files.snifflesclownsupplies.com/uploads/1/3/2/8/132815854/resoledepumidik.pdf
    • http://niwox.whilewaitingblog.com/uploads/1/3/1/4/131453463/1010253.pdf
    • https://cdn.shopify.com/s/files/1/0434/4764/8406/files/finif.pdf
    • https://cdn.shopify.com/s/files/1/0432/4874/6651/files/tononupiwusetudov.pdf
    • https://cdn.shopify.com/s/files/1/0429/9345/1159/files/48193357156.pdf
    • https://cdn.shopify.com/s/files/1/0436/3390/1726/files/55947773298.pdf
    • https://cdn.shopify.com/s/files/1/0428/3197/0460/files/95318561666.pdf
    • https://cdn.shopify.com/s/files/1/0428/0621/4819/files/fairy_tail_episodes_list.pdf
    • https://cdn.shopify.com/s/files/1/0437/5448/7957/files/hematopoiesis_definition.pdf
    • https://cdn.shopify.com/s/files/1/0432/8125/2508/files/funny_answer_to_are_you_ready.pdf
    • https://cdn.shopify.com/s/files/1/0427/7963/9967/files/xajade.pdf
    • https://cdn.shopify.com/s/files/1/0431/3733/5464/files/99617707027.pdf
    • https://cdn.shopify.com/s/files/1/0431/6341/8784/files/season_greetings_business_email_template.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/5137558887.pdf
    • https://cdn.shopify.com/s/files/1/0428/3518/1724/files/gowifonarilukexanajun.pdf
    • https://cdn.shopify.com/s/files/1/0433/3037/1738/files/93967012172.pdf
    • https://cdn.shopify.com/s/files/1/0428/8774/1607/files/amman_movie_songs_masstamilan.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a964.bin
a17885b4fd577e0298a64705d5055d2ac7c2363fd7008e9cf236b3df412a17d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA964 2828 bytes
font_01_sfnt_off0000b35e.bin
3b07a7dc1c41eab73e67e81f7f0f201737ad05630cff957c3122755ccdeb11fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB35E 5256 bytes
font_02_sfnt_off0000c51f.bin
47ad8c958835e191d477fbbf11a42f831b79b68c058486b6d737648b84a554ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC51F 9876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.