Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fe3f42eecca54d9…

MALICIOUS

PDF

52.8 KB Created: 2020-08-06 08:16:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 86b5d9821723f0073d58d1f7e85d9909 SHA-1: 39c9f6eb016b7019d4d627d64b187e9b76c6bd03 SHA-256: 9fe3f42eecca54d9f0b7011b972077bfc78156beea30ceff8644fe6560299389
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a mass of external links, including a critical link to a known malicious redirector at 'https://ttraff.cc/pify?keyword=children+s+short+bedtime+stories+pdf'. This indicates a social engineering attempt to direct users to malicious infrastructure. The document body, though heavily obfuscated, contains references to the same topic and URLs, reinforcing the lure. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=children+s+short+bedtime+stories+pdf
    • http://files.mindbekind.ca/uploads/1/3/2/7/132740172/xikemo.pdf
    • http://files.orgorg.co/uploads/1/3/0/8/130873851/mibutalu_najes_gifafilubekixu_tejasit.pdf
    • http://files.bahamianmom.com/uploads/1/3/1/0/131070911/2809856.pdf
    • https://cdn.shopify.com/s/files/1/0431/6856/3355/files/pagujolisazefubural.pdf
    • https://cdn.shopify.com/s/files/1/0437/2057/3080/files/daxajikemerifoxosopo.pdf
    • https://cdn.shopify.com/s/files/1/0432/0893/3540/files/27943546495.pdf
    • https://cdn.shopify.com/s/files/1/0433/5498/0505/files/45059254933.pdf
    • https://cdn.shopify.com/s/files/1/0429/1140/0102/files/84167314633.pdf
    • https://cdn.shopify.com/s/files/1/0429/6795/7658/files/23300592449.pdf
    • https://cdn.shopify.com/s/files/1/0431/5525/9560/files/31688322847.pdf
    • https://cdn.shopify.com/s/files/1/0440/9065/4870/files/xulage.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/duwaxufezemurogagur.pdf
    • https://cdn.shopify.com/s/files/1/0437/2883/0632/files/mitegozudesebuvotujedivag.pdf
    • https://cdn.shopify.com/s/files/1/0432/8954/2809/files/pepim.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008402.bin
f279e0384076e02427e276a01762ffad6958264cbb93dacea4584a8e7340d80b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8402 5020 bytes
font_01_sfnt_off000094d7.bin
2efc8f33d694e6c48003636428d7903dea687f2798313ee40774c3eb8be4bac6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94D7 10412 bytes
font_02_sfnt_off0000b860.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB860 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.