Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e72bd2f3325cee5…

MALICIOUS

PDF

42.6 KB Created: 2020-08-31 01:28:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c44af0bbe715968047bdd4671f6bdb0b SHA-1: 9f8c978d8bed0d1221db6e0373911ef82559a7bb SHA-256: 7e72bd2f3325cee5ab90c2701c8e2e2bd1ba9374f69cc8b08bf483582de5739a
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs pointing to external resources. The presence of a 'download button' heuristic further supports the lure mechanism. The primary malicious URL identified is https://ttraff.cc/wix?keyword=magoosh+gre+torrent, which likely serves as the initial stage of a malicious workflow.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=magoosh+gre+torrent
    • https://cdn.shopify.com/s/files/1/0434/2985/5393/files/bootstrap_flash_messages.pdf
    • https://cdn.shopify.com/s/files/1/0434/4931/9577/files/inherited_disorders_of_lipid_metabolism.pdf
    • https://cdn.shopify.com/s/files/1/0438/7107/6520/files/grammar_and_writing_practice_book_grade_1.pdf
    • https://cdn.shopify.com/s/files/1/0436/6827/5353/files/10429000814.pdf
    • https://cdn.shopify.com/s/files/1/0444/4625/3222/files/impartial_reporter_newspaper_enniskillen_northern_ireland.pdf
    • https://cdn.shopify.com/s/files/1/0427/6230/5702/files/85523509375.pdf
    • https://cdn.shopify.com/s/files/1/0433/9888/9635/files/4e_dungeon_master_s_guide.pdf
    • https://cdn.shopify.com/s/files/1/0430/4021/1105/files/zidenikajijud.pdf
    • https://static.usrfiles.com/ugd/0dcf4b_42ca1e8192d149a49c4856ab7bd7d678.pdf
    • https://static.usrfiles.com/ugd/b8c837_1e31b88086104db29415b86c1fade428.pdf
    • https://static.usrfiles.com/ugd/b8c837_b123b9d35bee43a28bac04eb065e97d7.pdf
    • https://static.usrfiles.com/ugd/b8c837_4100a99324054c1783948dde4ecb7c1a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068e0.bin
c52f3e76121ac925593ea64d396b6bbd82d9ae2b5e595fd0af026f695f4229bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68E0 4920 bytes
font_01_sfnt_off0000799d.bin
55caa36660a2b64d67f2884d388cb0e6cee8c23ea0853f39e26a6f43855b2400		 pdf-font-stream PDF embedded font (sfnt) at offset 0x799D 10480 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.