Malicious PDF — malware analysis report

Static analysis result for SHA-256 8fb200bb414d2607…

MALICIOUS

PDF

43.5 KB Created: 2020-08-08 13:00:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8fb24fe2e6e5c36e3a806e7ac0f97af6 SHA-1: 8b63e88768e661f929db83512e05b27ce4c8420e SHA-256: 8fb200bb414d260761311219358bd3035cd599c6b44bc93594cbb762ad40af9a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on Shopify. One critical heuristic indicates that the document contains a malicious redirector link to 'ttraff.cc'. The document body, though heavily obfuscated, contains the URL 'https://ttraff.cc/pify?keyword=analytical+geometry+grade+10+formulas+pdf', suggesting a lure to download further content under the guise of educational material. The presence of numerous links and the redirector strongly indicate a phishing or content-luring attack.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=analytical+geometry+grade+10+formulas+pdf
    • http://files.breakdown4car.co.uk/uploads/1/3/0/7/130775659/suruviteb-dipapasivakur-vikex.pdf
    • http://files.initiatives.com.hk/uploads/1/3/0/8/130813643/a34612a550c231e.pdf
    • http://files.gonefishinnd.com/uploads/1/3/1/4/131453256/2607876.pdf
    • https://cdn.shopify.com/s/files/1/0427/8580/0358/files/belowisimexoxowa.pdf
    • https://cdn.shopify.com/s/files/1/0428/3806/5308/files/baguzeb.pdf
    • https://cdn.shopify.com/s/files/1/0433/4298/7422/files/10363613845.pdf
    • https://cdn.shopify.com/s/files/1/0432/3170/7294/files/74596027241.pdf
    • https://cdn.shopify.com/s/files/1/0434/7202/7814/files/52938490735.pdf
    • https://cdn.shopify.com/s/files/1/0435/7311/7087/files/free_registry_repair.pdf
    • https://cdn.shopify.com/s/files/1/0432/9301/6222/files/sijonorulinefusi.pdf
    • https://cdn.shopify.com/s/files/1/0435/5453/7624/files/47230461830.pdf
    • https://cdn.shopify.com/s/files/1/0434/9237/6741/files/81315411766.pdf
    • https://cdn.shopify.com/s/files/1/0438/2641/3725/files/karel_j_robot.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/78985131446.pdf
    • https://cdn.shopify.com/s/files/1/0431/6682/6656/files/8003802587.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b3a.bin
567d96022182f580c5d5b19c1f38ff0bea3589d79d77ddbdc8ec872579d01e16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B3A 5760 bytes
font_01_sfnt_off00007ed7.bin
96d67246377dc79818fe949098a92712cee767f6c8304e4dec90b7c04b0b67e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7ED7 10076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.