Malicious PDF — malware analysis report

Static analysis result for SHA-256 9afc2e2f82087336…

MALICIOUS

PDF

43.7 KB Created: 2020-09-02 08:53:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 527314dd3a40ef86d083839bc741eb50 SHA-1: a0cb222e31cb7365acc872071fa0746cf0b1c515 SHA-256: 9afc2e2f82087336a69459df7707642245abf2a402f49a4a7a82c784c19e8111
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF file contains multiple embedded URLs, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.me/pify?keyword=bibliography+citations+in+apa+format', which is flagged as malicious. The presence of numerous links, including the malicious one, suggests a link farm or phishing attempt designed to redirect users to harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=bibliography+citations+in+apa+format
    • https://cdn.shopify.com/s/files/1/0431/9094/3902/files/regression_analysis_with_example.pdf
    • https://cdn.shopify.com/s/files/1/0435/4228/2394/files/decision_makers_guide_ni.pdf
    • https://cdn.shopify.com/s/files/1/0434/2651/3048/files/31575481387.pdf
    • https://cdn.shopify.com/s/files/1/0437/5540/5466/files/brush_pen_alphabet_template.pdf
    • https://cdn.shopify.com/s/files/1/0438/0708/0610/files/cantate_domino_heinrich_schtz.pdf
    • https://cdn.shopify.com/s/files/1/0437/6081/2189/files/hipaa_breach_notification_letter_sample.pdf
    • https://cdn.shopify.com/s/files/1/0432/6090/3582/files/konveksiyon_yoluyla_yaylma.pdf
    • https://cdn.shopify.com/s/files/1/0428/5179/5107/files/74401173748.pdf
    • https://cdn.shopify.com/s/files/1/0435/0024/1061/files/boatbuilding_with_plywood_book.pdf
    • https://cdn.shopify.com/s/files/1/0435/2724/1879/files/muxepebapebinegukowufo.pdf
    • https://cdn.shopify.com/s/files/1/0434/7153/6290/files/athlean_x_beast.pdf
    • https://cdn.shopify.com/s/files/1/0431/0673/0138/files/16219406097.pdf
    • https://static.usrfiles.com/ugd/b11f6d_6c4013855aac44a2a98c77484e934666.pdf
    • https://static.usrfiles.com/ugd/b8c837_189ad59eae1f4411ac9b7abda0c0600d.pdf
    • https://static.usrfiles.com/ugd/0f1814_2e306145c8a9439880d4777eedcf0989.pdf
    • https://static.usrfiles.com/ugd/f2c1dc_3713ff41c67f48cbb29e16e0123670cb.pdf
    • https://static.usrfiles.com/ugd/fe83c3_23780e5c5c224a849fd249328edd210e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c5f.bin
7194ffdc52e55fe4d808174f42fd911183b306c9317ecda276b6c7ab99057628		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C5F 5720 bytes
font_01_sfnt_off00007fbd.bin
ac907e926273b468a88cbdbc4a57e3b0a922fb5cd6f41ef0e30c0e2a1200794b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FBD 9960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.