Malicious PDF — malware analysis report

Static analysis result for SHA-256 98c207b96134a519…

MALICIOUS

PDF

39.3 KB Created: 2020-08-25 07:50:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b4356b453f988dd0f46c1b8e9e4035cb SHA-1: 11126b2d4e0c307682df9bde8222d2e3daaa1ec0 SHA-256: 98c207b96134a519431667663e5064599a9b6d87eefd1bf32e3a2234c9739da4
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a link farm and a specific URL that redirects to malicious infrastructure. The document body, though obfuscated, contains text related to an exam form and the malicious URL, suggesting a lure. The presence of a visual download button further supports the social engineering aspect of this attack. The primary malicious URL identified is https://ttraff.com/pify?keyword=pre+b.+ed+exam+form+2018, which is likely used to redirect the user to a further stage of the attack.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=pre+b.+ed+exam+form+2018
    • http://welodak.generationxgoesglobal.com/uploads/1/3/2/6/132695643/jofepoxidoma_sogekomumu_ludeliz_vuroju.pdf
    • http://files.densityanalytics.com/uploads/1/3/0/8/130814769/57a960d0c0.pdf
    • http://files.andrewmartinsmith.com/uploads/1/3/1/1/131164479/11c786.pdf
    • http://files.lavwcd.com/uploads/1/3/1/3/131398541/sibekigusew_pufefanapu_gulalelu.pdf
    • http://beluzakob.mrjbake.com/uploads/1/3/1/3/131381167/gekewab.pdf
    • https://cdn.shopify.com/s/files/1/0435/8779/7160/files/2014_town_and_country_owners_manual.pdf
    • https://cdn.shopify.com/s/files/1/0436/9265/4745/files/41206023676.pdf
    • https://cdn.shopify.com/s/files/1/0437/0949/7496/files/employment_card_online.pdf
    • https://cdn.shopify.com/s/files/1/0427/8566/9279/files/88054426362.pdf
    • https://cdn.shopify.com/s/files/1/0431/0306/0128/files/36590408199.pdf
    • https://cdn.shopify.com/s/files/1/0427/5005/0460/files/mumoxasejizisuvironub.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/90209356055.pdf
    • https://cdn.shopify.com/s/files/1/0436/1653/4685/files/motakajib.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005be4.bin
e7f6d56858a148a3ad93661eef9ef8a996f07ad1a723dfad2d0b714932c013f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BE4 5604 bytes
font_01_sfnt_off00006ee8.bin
e1d7dd15f5a4f2cbd3600adead27ec8c06b81793125e97e75458c49fa5667c94		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EE8 9872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.