Malicious PDF — malware analysis report

Static analysis result for SHA-256 953fd67bd84ae144…

MALICIOUS

PDF

51.0 KB Created: 2020-09-01 10:02:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 745c88060c4d71179dbbc104420feb3d SHA-1: 9ee8fb781c77c50e4915860b6d82291840149250 SHA-256: 953fd67bd84ae144e560a8542a726dd027ba2f6396707b778a3edde22480bbc2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, many hosted on 'cdn.shopify.com'. The document body also contains the malicious URL and references a 'lab technician 2018 answer key', suggesting a lure to entice users to click the link. The primary attack vector appears to be directing users to malicious infrastructure via a deceptive link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=lab+technician+2018+answer+key
    • https://cdn.shopify.com/s/files/1/0431/7465/8216/files/kisikoded.pdf
    • https://cdn.shopify.com/s/files/1/0463/3870/3521/files/98874345198.pdf
    • https://cdn.shopify.com/s/files/1/0435/7311/7087/files/64231587325.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/81988232477.pdf
    • https://cdn.shopify.com/s/files/1/0435/6797/2513/files/58045668229.pdf
    • https://cdn.shopify.com/s/files/1/0430/0229/8521/files/android_studio_software.pdf
    • https://cdn.shopify.com/s/files/1/0457/4612/7004/files/sokogufulipu.pdf
    • https://cdn.shopify.com/s/files/1/0433/9879/1329/files/57147508474.pdf
    • https://cdn.shopify.com/s/files/1/0461/1692/9700/files/45314066662.pdf
    • https://cdn.shopify.com/s/files/1/0432/8993/6025/files/56727549458.pdf
    • https://static.usrfiles.com/ugd/b8c837_81171a28561940d09ed1a8e461cc24b1.pdf
    • https://static.usrfiles.com/ugd/b8c837_0e26aba2fe3248e48108a57d43fa3a8c.pdf
    • https://static.usrfiles.com/ugd/5438e3_5fb02072f56f4c3c9ea9751819cddaf9.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068d7.bin
8097d967fcdc06b284bcd3f02d75785a2e7515c054f9821d7d862f5359b35d22		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68D7 5392 bytes
font_01_sfnt_off00007b33.bin
7b33e6452eb723fd6ff81f7aed4d5bc66bbb543acba0b2f4dd7ba026f842897f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B33 9888 bytes
font_02_sfnt_off00009d1b.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D1B 4324 bytes
font_03_sfnt_off0000ab1b.bin
ae7d49dd61ab3debfdc3f5dd7aa81672f87f1c2dd8f466b987056e5e598957a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB1B 5324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.