Malicious PDF — malware analysis report

Static analysis result for SHA-256 9555839bd9d9b4d0…

MALICIOUS

PDF

54.5 KB Created: 2020-08-04 06:29:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 640134e522f0f8509271204a28c88230 SHA-1: 1b4fe0f14329e10ba1d53d1248d57814c9867c50 SHA-256: 9555839bd9d9b4d0266b644085851083a62bf2bbc18bdafe30b238c368e7a63b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-in Systems T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic firing indicating it's a malicious redirector. One of the primary links, 'https://ttraff.cc/pify?keyword=daily+adhkar+book+pdf', is identified as a malicious redirector. The document body also contains this URL, suggesting it's the intended lure for users to click and be redirected to potentially harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=daily+adhkar+book+pdf
    • http://files.kentsmerdon.com/uploads/1/3/1/4/131407424/gititifapamowir-tanadoxa-piwojibu-buwewexowo.pdf
    • http://files.gcraudio.com/uploads/1/3/1/3/131380687/memijeriro_pegilokododos_purowikipufot.pdf
    • http://pilefabe.muchnesslife.com/uploads/1/3/1/4/131438464/8d3411df0bb.pdf
    • http://files.ayakampart.com/uploads/1/3/1/4/131438316/jebewa.pdf
    • https://cdn.shopify.com/s/files/1/0432/7292/9435/files/dukibu.pdf
    • https://cdn.shopify.com/s/files/1/0430/0718/0954/files/28859026010.pdf
    • https://cdn.shopify.com/s/files/1/0433/7002/1014/files/ferozuzutabubotunawajit.pdf
    • https://cdn.shopify.com/s/files/1/0431/4536/3610/files/pokadaxuguniv.pdf
    • https://cdn.shopify.com/s/files/1/0437/9515/3058/files/kumirawavuwigaferuxug.pdf
    • https://cdn.shopify.com/s/files/1/0431/3343/6055/files/konibaroxozepi.pdf
    • https://cdn.shopify.com/s/files/1/0439/1596/8680/files/33886366446.pdf
    • https://cdn.shopify.com/s/files/1/0430/2218/8701/files/27409254643.pdf
    • https://cdn.shopify.com/s/files/1/0432/6942/3269/files/devebezaz.pdf
    • https://cdn.shopify.com/s/files/1/0435/4523/1509/files/63588802832.pdf
    • https://cdn.shopify.com/s/files/1/0428/7204/5734/files/x_ray_texture_pack_1._7._10.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000090ae.bin
4a1c96ba6fff96d72e61a59a1f0e191673d0d9efd065d6170bf14bc37a78122b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90AE 5256 bytes
font_01_sfnt_off0000a28f.bin
7760680e901114f9ffd28a827bdeaac61bb1e756aa827b9951f7e9d39860c77d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA28F 13828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.