Malicious PDF — malware analysis report

Static analysis result for SHA-256 897baf8655bca17c…

MALICIOUS

PDF

45.6 KB Created: 2020-08-19 03:52:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ef0d6f210b7278cb1e88cb4e288f536 SHA-1: 10afa7fa2ef03bff5d46f5db565b2cbc2d22531f SHA-256: 897baf8655bca17cdc8b1bc00e2ca7d7b55366daa9ba6e8f873c09bc1d5c9bfb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.001 Malicious Link

The PDF contains a link farm and a critical heuristic firing for a malicious redirector. The document body, though obfuscated, contains text related to an 'employee reference letter' and the malicious URL. The primary malicious URL, 'https://ttraff.cc/pify?keyword=employee+reference+letter+word+format', is designed to redirect users to further malicious content, likely for phishing or malware delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=employee+reference+letter+word+format
    • http://files.studyenglish121.com/uploads/1/3/1/3/131384113/471988e.pdf
    • http://files.h2020-tutorial.net/uploads/1/3/1/4/131483209/2383322.pdf
    • http://files.mymountaindrive.com/uploads/1/3/0/7/130738632/2319138.pdf
    • http://files.grottonsinchile.org/uploads/1/3/2/7/132740413/sojudade-sugonas-gasatis-gesazuvujiw.pdf
    • https://cdn.shopify.com/s/files/1/0428/7276/6631/files/76125272970.pdf
    • https://cdn.shopify.com/s/files/1/0431/0453/4692/files/lofimanedusufuxesan.pdf
    • https://cdn.shopify.com/s/files/1/0433/6903/7980/files/27036514398.pdf
    • https://cdn.shopify.com/s/files/1/0437/8905/8209/files/38628105511.pdf
    • https://cdn.shopify.com/s/files/1/0438/0337/7824/files/37951510779.pdf
    • https://cdn.shopify.com/s/files/1/0429/2729/2582/files/6129010275.pdf
    • https://cdn.shopify.com/s/files/1/0432/7155/3189/files/10_class_date_sheet_2020_up_board_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/4176/7072/files/graphing_exponential_functions_worksheet_algebra_1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007480.bin
199860dddc579319908ae78561544a97216be21d997517aac8b035024565c99d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7480 5276 bytes
font_01_sfnt_off0000866e.bin
7b0d8255fa1a962bbb8504ff92f6a285295f0eecf4a2edff6db4f072486042d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x866E 10460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.