Malicious PDF — malware analysis report

Static analysis result for SHA-256 554f7e37a7919c90…

MALICIOUS

PDF

42.4 KB Created: 2020-08-12 12:32:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4fd3e1505a5555187f0762f66e2fc88c SHA-1: 47063fdc3f6aac289cb3845184f4eee32ba7fcb8 SHA-256: 554f7e37a7919c90c62e0c503ef4ee29957637c7d78163df5be7c1ba2e9cf875
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a lure related to 'CTET answer key download' and embeds multiple links. One primary link, 'https://ttraff.com/pify?keyword=ctet.+nic.+in+answer+key+2020+pdf+download', is identified as a malicious redirector. The document also features a link farm, directing users to numerous other PDF files hosted on various domains, including several on Shopify. This suggests a phishing or scam attempt using SEO-poisoned links to distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=ctet.+nic.+in+answer+key+2020+pdf+download
    • http://files.wonderpin.com/uploads/1/3/1/6/131637362/feligizibab_bikajegirob_titit_julen.pdf
    • http://files.neverlostestore.com/uploads/1/3/0/8/130874204/maniduwasup_wupudoserofi_divekoxusenonis.pdf
    • http://files.townsquareplayers.org/uploads/1/3/0/7/130739107/df487ef55025210.pdf
    • https://cdn.shopify.com/s/files/1/0437/7870/3521/files/ssc_marksheet_download_maharashtra.pdf
    • https://cdn.shopify.com/s/files/1/0439/4532/8808/files/77163971889.pdf
    • https://cdn.shopify.com/s/files/1/0430/1121/1417/files/accuweather_minot_nd.pdf
    • https://cdn.shopify.com/s/files/1/0440/6509/5845/files/45407714268.pdf
    • https://cdn.shopify.com/s/files/1/0428/5494/0828/files/74519383715.pdf
    • https://cdn.shopify.com/s/files/1/0440/4323/9589/files/jojasefewuxet.pdf
    • https://cdn.shopify.com/s/files/1/0432/5782/3390/files/cross_domain_tracking_google_tag_manager.pdf
    • https://cdn.shopify.com/s/files/1/0430/7874/6261/files/29595309872.pdf
    • https://cdn.shopify.com/s/files/1/0439/2802/7304/files/arquitectura_de_computadoras_parhami.pdf
    • https://cdn.shopify.com/s/files/1/0431/4333/2000/files/pathfinder_bestiary_pdf_download_free.pdf
    • https://cdn.shopify.com/s/files/1/0430/4257/0401/files/toe_kick_saw_lowes.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065de.bin
f9863536f124ee02328acd9dbcd5ac8d843ff94c2c2f26ceed8139bd19d948a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65DE 5616 bytes
font_01_sfnt_off0000792d.bin
cd7c190fd6d3288f32355460ba756b0ff1dbdb0ee574a5b02859702da01985ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x792D 10548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.