Malicious PDF — malware analysis report

Static analysis result for SHA-256 9b93a6aa3d265064…

MALICIOUS

PDF

40.5 KB Created: 2020-08-22 15:24:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f01d39f7762b867fa70207ee97c2666 SHA-1: 9e91c235b62cc2859df28f2a8922cf766e31f095 SHA-256: 9b93a6aa3d2650644330cc94fe435193eb204d90e3ff00ca00b4a6484e45045f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/pify?keyword=general+aptitude+test+sample+questions+and+answers'. The document body also contains this URL and numerous other links, many hosted on Shopify, suggesting a link farm or SEO poisoning tactic to distribute malicious content. The primary intent appears to be redirecting users to malicious infrastructure under the guise of providing test sample questions.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=general+aptitude+test+sample+questions+and+answers
    • http://files.milaspreschoolandccc.com/uploads/1/3/1/3/131383661/9241220.pdf
    • http://files.piersonpsychology.com/uploads/1/3/2/8/132814272/vikotuxupo.pdf
    • https://cdn.shopify.com/s/files/1/0435/3415/5928/files/junuwidikuxofitela.pdf
    • https://cdn.shopify.com/s/files/1/0448/1482/7677/files/review_of_transistor_biasing.pdf
    • https://cdn.shopify.com/s/files/1/0437/3826/7809/files/tonapoxur.pdf
    • https://cdn.shopify.com/s/files/1/0429/5937/2439/files/wezilomux.pdf
    • https://cdn.shopify.com/s/files/1/0429/9417/2058/files/pozoluxutemozala.pdf
    • https://cdn.shopify.com/s/files/1/0431/1498/7682/files/kojetimoruxuvi.pdf
    • https://cdn.shopify.com/s/files/1/0434/7455/0950/files/bungee_font_mac.pdf
    • https://cdn.shopify.com/s/files/1/0428/6103/5686/files/41489653964.pdf
    • https://cdn.shopify.com/s/files/1/0430/6288/6549/files/75822341926.pdf
    • https://cdn.shopify.com/s/files/1/0438/7130/5896/files/pawigomenabusezupivojezi.pdf
    • https://cdn.shopify.com/s/files/1/0445/4160/8100/files/calligraphy_sheets_for_beginners.pdf
    • https://cdn.shopify.com/s/files/1/0440/7181/3285/files/toxodu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ef9.bin
492ed17c8248792956d666eac91ed87c9be0c90107b1dd90f5919b541218dc35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EF9 5352 bytes
font_01_sfnt_off00007128.bin
902fdab2ad2c4beb613b4cc5e82396a581d5832dfef4268c653e9a4600b0ede6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7128 10524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.