Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f552c3b40952dee…

MALICIOUS

PDF

42.3 KB Created: 2020-09-01 08:11:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 747f6cbb64e1dea701ec43e291967053 SHA-1: 7585f7d22ce616e9aebb9b017b14810a3d47758a SHA-256: 9f552c3b40952deec47366126ec033d26b10b79f9b69646892dd7c5a326c6039
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=black+body+radiation+nptel+pdf'. Additionally, it exhibits characteristics of a link farm, embedding numerous external PDF links, with 'https://cdn.shopify.com/s/files/1/0430/8602/0761/files/mvat_amnesty_scheme_2019_form.pdf' being the first identified. The document body, though heavily obfuscated, also contains these URLs, suggesting an attempt to lure users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=black+body+radiation+nptel+pdf
    • https://cdn.shopify.com/s/files/1/0430/8602/0761/files/mvat_amnesty_scheme_2019_form.pdf
    • https://cdn.shopify.com/s/files/1/0459/6593/4759/files/tijegepixamemuwo.pdf
    • https://cdn.shopify.com/s/files/1/0435/1596/9688/files/silajatawipitofepukobux.pdf
    • https://cdn.shopify.com/s/files/1/0437/5108/0090/files/rokuligu.pdf
    • https://cdn.shopify.com/s/files/1/0434/2022/1596/files/ralumowagemetefizujelogo.pdf
    • https://cdn.shopify.com/s/files/1/0433/9240/1558/files/42976515426.pdf
    • https://cdn.shopify.com/s/files/1/0429/2778/4103/files/gafadupipevunogixuji.pdf
    • https://static.usrfiles.com/ugd/71fd01_548d71bd756d4cf49822444618ee6a26.pdf
    • https://static.usrfiles.com/ugd/e3ed1f_8cde0202530f43328a895a7be43e426e.pdf
    • https://static.usrfiles.com/ugd/03ae60_18c587a107f249079cac4054022b68d6.pdf
    • https://static.usrfiles.com/ugd/b8c837_ca6aca370f124b1b9c1597a557f422a9.pdf
    • https://static.usrfiles.com/ugd/0789d5_0d24aeebd3994d1393e6316541ee3bc4.pdf
    • https://static.usrfiles.com/ugd/4bdc6d_b95bda3dd3ce44d18b6e0d2d563a7ca5.pdf
    • https://static.usrfiles.com/ugd/a44510_cce283931d2a4649a9478e4810b4a0f8.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006820.bin
b3fe0cced9ebfc988c499e2c1ce0d466c5525975e52caef785df3d19294005b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6820 5328 bytes
font_01_sfnt_off00007a56.bin
8417d0fc7a734e58e69280c592e29d26cde1c39eacab40c7b309b1bf2c97ebd8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A56 9988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.