Malicious PDF — malware analysis report

Static analysis result for SHA-256 56d10ff2020872ad…

MALICIOUS

PDF

79.5 KB Created: 2020-08-21 02:56:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 411395424fefbcb354a5546382fa0a2f SHA-1: 1205194f3748128d101bc388e2180e0ed64a0ada SHA-256: 56d10ff2020872adbd4713bacf91f7e96f2c6303f28a5ac285872d5eb90034cd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains the same URL, suggesting it's the primary lure. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many hosted on Shopify, likely for SEO manipulation or to obscure the malicious destination. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=competitive+programming+cheat+sheet
    • http://files.photographybygennaro.com/uploads/1/3/2/3/132302892/048310b12889ed.pdf
    • http://files.dizzycoach.com/uploads/1/3/0/8/130874129/redesoba-xurun.pdf
    • https://cdn.shopify.com/s/files/1/0430/2091/0746/files/adjectives_en_ingles.pdf
    • https://cdn.shopify.com/s/files/1/0434/7035/6632/files/roxaxewaj.pdf
    • https://cdn.shopify.com/s/files/1/0430/8638/1210/files/14161556093.pdf
    • https://cdn.shopify.com/s/files/1/0430/4227/5485/files/33370327755.pdf
    • https://cdn.shopify.com/s/files/1/0435/3032/2071/files/professor_bank_job_book.pdf
    • https://cdn.shopify.com/s/files/1/0435/0397/6614/files/gexujoderagom.pdf
    • https://cdn.shopify.com/s/files/1/0432/7879/4917/files/biwar.pdf
    • https://cdn.shopify.com/s/files/1/0436/3059/2160/files/9517547832.pdf
    • https://cdn.shopify.com/s/files/1/0434/0265/7957/files/85622369485.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000975d.bin
b42e16350c82ec54fa19a0c651c7cbf86ba894b8ea70b4db05a08352f33caa43		 pdf-font-stream PDF embedded font (sfnt) at offset 0x975D 25288 bytes
font_01_sfnt_off0000e525.bin
da3778f980eb8bde791e187da7abd9fa5d18507e70d9bb731ae217a54b9da8aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE525 5280 bytes
font_02_sfnt_off0000f6f3.bin
05a6f270322904a3b8a831bcf955db8ae697abd75f88f4b5065eb4a0cb282f15		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6F3 10604 bytes
font_03_sfnt_off00011b42.bin
39b2f4b99ee08965fd4836f89f628a00cde8346cb181131bba0308e80db8fb67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B42 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.