Malicious PDF — malware analysis report

Static analysis result for SHA-256 851c15ab9f8ca4c9…

MALICIOUS

PDF

34.7 KB Created: 2020-09-18 04:21:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 77355f4fd4fd4a9db1d3caae662a5740 SHA-1: 70f8386bb7881a1606878416f3c1cda27cfe251a SHA-256: 851c15ab9f8ca4c98f06988c6156caf110a97ce2a2c9825be7f2c90bb6e014bf
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm with 26 external links, including a critical redirector link to 'https://ttraff.club/wix?keyword=crayola+experience+donation+request'. This suggests a social engineering attempt to lure users to a malicious site under the guise of a donation request. The document body, though heavily obfuscated, contains references to the donation request and the malicious URL, reinforcing the phishing pretext.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=crayola+experience+donation+request
    • http://jodazori.saltedsage.com/uploads/1/3/1/3/131382028/zaputepezab.pdf
    • https://cdn.shopify.com/s/files/1/0434/8031/8118/files/calendario_escolar_cantabria_2020_20.pdf
    • https://cdn.shopify.com/s/files/1/0434/5649/5769/files/floccinaucinihilipilification_in_a_sentence_yahoo_answers.pdf
    • https://cdn.shopify.com/s/files/1/0433/3735/1326/files/rekipejo.pdf
    • https://cdn.shopify.com/s/files/1/0432/2036/9576/files/62620952555.pdf
    • https://80c7db92-fdca-4f96-bada-ccb11a6f7cdc.filesusr.com/ugd/764aaa_c92d6fda06014a099c1e51caff274b74.pdf?index=true
    • https://5ff84fcb-cba3-4d97-8307-aaaced401dee.filesusr.com/ugd/6a4619_9f77e4f2b9614e558b7eded2b36f2600.pdf?index=true
    • https://6a463af9-b07e-4d16-8c99-7d68c827403f.filesusr.com/ugd/ce14f3_c596da37545b4cb98749c040bca7dfc6.pdf?index=true
    • https://037d37f5-2d30-4b47-91dd-cecb9ff8cb5f.filesusr.com/ugd/440e29_9d8d3a0dbe6a42ca962d4875774f1977.pdf?index=true
    • https://45006658-4d20-4b00-95ce-b8601bdd062f.filesusr.com/ugd/6e13d9_481f860e1a734e94b2c76230968bc114.pdf?index=true
    • https://66a69ff0-b8a7-474e-93ba-a2e8f679f087.filesusr.com/ugd/3724a2_717376e9147a4a8898097a3428780a95.pdf?index=true
    • https://d24903c7-db67-4acd-b94d-a31787fe4dd9.filesusr.com/ugd/99afdc_ff9f200288ca406db9b665cf2b9c691b.pdf?index=true
    • https://e5487c0f-8234-4e6f-bd63-1a067aa41a5f.filesusr.com/ugd/9dda13_5d7729346e0e40d3a487aabb0fc1503d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000048e8.bin
96a5c16b0eb28773782362b1f0b6196ec52d92ed34023822e93fb7fc07ccc127		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48E8 5268 bytes
font_01_sfnt_off00005ae3.bin
22bcbd639d73ed9f279f4d9869058bc6bdbf652b4b9c3ad7f03026fe747243b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AE3 10352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.