Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a0a698b600c7caa…

MALICIOUS

PDF

35.4 KB Created: 2020-08-24 06:26:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5cbab6994bc96e9eb9fe6f7d976f4f16 SHA-1: 742df492c74390a21d522e2d0d01c8857ef7d8e5 SHA-256: 9a0a698b600c7caa175b8c7b0d2a69810ece85c9404bf0c301922953d12ae937
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a mass of external links, including a critical redirector link to 'ttraff.com'. The document body, though heavily obfuscated, contains the same lure text and URLs found in the heuristics. The primary purpose appears to be directing users to malicious infrastructure under the guise of providing templates.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=polo+shirt+template+white
    • http://files.isleofhopesteam.com/uploads/1/3/0/8/130873804/likevefoxu-fisovul-sexotuxif-mexuzokowenipoj.pdf
    • http://vudanoti.eaadventures.com/uploads/1/3/1/4/131437252/9596308.pdf
    • http://files.mcdonnellhomepreschool.com/uploads/1/3/1/4/131454065/tamanufovo-barada-ziraxazufubiz.pdf
    • http://files.sustainableartschool.org/uploads/1/3/1/0/131070485/2332046.pdf
    • https://cdn.shopify.com/s/files/1/0430/6577/0133/files/39096399449.pdf
    • https://cdn.shopify.com/s/files/1/0432/1814/1341/files/73769658888.pdf
    • https://cdn.shopify.com/s/files/1/0434/5279/2982/files/cbse_class_10_english_literature_reader_book_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/6300/0736/files/dusikefoposodok.pdf
    • https://cdn.shopify.com/s/files/1/0440/4133/9030/files/fallout_4_weapon_codes.pdf
    • https://cdn.shopify.com/s/files/1/0430/6596/6754/files/sipewanefebunimisefu.pdf
    • https://cdn.shopify.com/s/files/1/0434/6881/6544/files/new_employee_introduction_email_to_team_template.pdf
    • https://cdn.shopify.com/s/files/1/0437/1264/3223/files/14000283182.pdf
    • https://cdn.shopify.com/s/files/1/0430/1537/2953/files/89862797825.pdf
    • https://cdn.shopify.com/s/files/1/0429/9679/3503/files/24864429715.pdf
    • https://cdn.shopify.com/s/files/1/0433/0441/9478/files/ayushman_bharat_yojana_card_list_2020.pdf
    • https://cdn.shopify.com/s/files/1/0460/1357/9423/files/jamelo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c3c.bin
61c69e0f3d2d9e4f6e2a84c55f9d2042958a79ce368b690f124e62479aacbf21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C3C 5152 bytes
font_01_sfnt_off00005dab.bin
5b4140fe882daf5d2f7ef9b5bc66c935404922e6b49cfe05fbe293c4cec83227		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DAB 10308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.