Malicious PDF — malware analysis report

Static analysis result for SHA-256 9814a75bf33040da…

MALICIOUS

PDF

59.4 KB Created: 2020-08-10 12:50:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3d2c96a9a3e70d64f5f400d1af3d7048 SHA-1: 06ea7cdd20dc8f075cb3f16077b020529b7231dd SHA-256: 9814a75bf33040da037d5c57a3521540560bf55326311281724485959bac90db
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to external PDFs hosted on various domains, suggesting a link farm or redirection strategy. One critical heuristic identified a link to a known malicious redirector, ttraff.com, which is used to obscure the ultimate destination. The document body, though heavily obfuscated, contains text related to academic notes and the URL for the redirector, indicating a lure to disguise malicious activity. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=b.+sc+part+1+chemistry+notes+pdf
    • http://nataxu.lizadimbleby.com/uploads/1/3/1/1/131164250/lebovivud_dopeg_tawulufegifimo.pdf
    • http://pokuku.ccsflippinvintage.com/uploads/1/3/1/3/131381464/tokinaxovozawuj.pdf
    • http://files.morjimcocopalms.com/uploads/1/3/1/3/131384789/2a0aea98a146c0c.pdf
    • http://files.jamesarmstrongdesign.com/uploads/1/3/0/8/130873822/255634.pdf
    • http://files.serenaremy.com/uploads/1/3/0/8/130814676/7892436.pdf
    • https://cdn.shopify.com/s/files/1/0449/4196/7528/files/zexokiruvixew.pdf
    • https://cdn.shopify.com/s/files/1/0438/1756/6368/files/phytophthora_nicotianae.pdf
    • https://cdn.shopify.com/s/files/1/0434/9709/5333/files/etabs_api_documentation.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/38138836364.pdf
    • https://cdn.shopify.com/s/files/1/0433/8132/5987/files/xodixukijoxolafalewod.pdf
    • https://cdn.shopify.com/s/files/1/0437/6710/3645/files/nivetojanafabajukonapujux.pdf
    • https://cdn.shopify.com/s/files/1/0432/8439/8236/files/bidoj.pdf
    • https://cdn.shopify.com/s/files/1/0431/3058/5239/files/56956320910.pdf
    • https://cdn.shopify.com/s/files/1/0427/9923/5228/files/1886350265.pdf
    • https://cdn.shopify.com/s/files/1/0436/3180/4574/files/periodic_table_of_elements_printable.pdf
    • https://cdn.shopify.com/s/files/1/0428/4973/0727/files/gidupitibudafo.pdf
    • https://cdn.shopify.com/s/files/1/0427/9376/2975/files/nesakapokowu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006eae.bin
a916dec68a337aa4caa2ef74618894aff1025e87f714826eeaa0420a4d3f4e8f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EAE 5388 bytes
font_01_sfnt_off000080df.bin
35c0a746fcdf55e64f2ba55209f6a139fa5d4ea47dce36c63c78d1e6d66b29b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80DF 3204 bytes
font_02_sfnt_off00008dd0.bin
7c39ce28624f4542f75b1ffc8145173145833d4531dc284b7a223e4ff974262f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DD0 2576 bytes
font_03_sfnt_off000098c6.bin
f9d08080e291800fa95750915ab6bfd34d8755f25ea6cdb4565fac05940e9194		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98C6 10252 bytes
font_04_sfnt_off0000bbc8.bin
207faf14306426b668b87aba0c9d447b8ba40b67f0f7b18660ffa0d3c8132265		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBBC8 16224 bytes
font_05_sfnt_off0000d114.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD114 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.