Malicious PDF — malware analysis report

Static analysis result for SHA-256 a031f27697d98913…

MALICIOUS

PDF

45.0 KB Created: 2020-08-22 08:58:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3baee7346f039e1906d70231d0c187a6 SHA-1: 4fa590ee928367a68a1b4573bb772c2c9a0c38f2 SHA-256: a031f27697d9891319b622bde211a9f7abc3aae364ad380a1f65f20754c5c1bb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.com' with a lure related to 'cdc vaccine schedule child pdf'. The document body, though heavily obfuscated, also contains this URL and numerous other links to external PDFs hosted on various domains, indicating a link farm designed to obscure the ultimate destination. The primary malicious URL is 'https://ttraff.com/pify?keyword=cdc+vaccine+schedule+child+pdf', which is likely used to redirect the user to a phishing or malware download site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=cdc+vaccine+schedule+child+pdf
    • http://fafugelew.pulpfictionfuturefood.com/uploads/1/3/1/4/131438309/933de165775fd2.pdf
    • http://vupaxefed.legacyministries.info/uploads/1/3/1/4/131483245/7674.pdf
    • http://mimubok.su649.org/uploads/1/3/1/1/131164066/rakofemagu_pinuvufez_wujila.pdf
    • http://files.ashleyalverthdesign.com/uploads/1/3/1/4/131438464/borobi_vusajegabom.pdf
    • https://cdn.shopify.com/s/files/1/0430/9617/8845/files/rule_34_star_trek.pdf
    • https://cdn.shopify.com/s/files/1/0430/9857/0909/files/modern_baybayin_keyboard_apk.pdf
    • https://cdn.shopify.com/s/files/1/0433/0445/2246/files/domexu.pdf
    • https://cdn.shopify.com/s/files/1/0440/5411/8550/files/cricket_3d_java_games.pdf
    • https://cdn.shopify.com/s/files/1/0430/0665/6666/files/buvepomow.pdf
    • https://cdn.shopify.com/s/files/1/0448/1184/5793/files/34956604942.pdf
    • https://cdn.shopify.com/s/files/1/0437/6982/3383/files/bachianinha_n1.pdf
    • https://cdn.shopify.com/s/files/1/0429/3731/9590/files/fgo_sanzang_event_guide.pdf
    • https://cdn.shopify.com/s/files/1/0447/5063/5162/files/update_git_ubuntu.pdf
    • https://cdn.shopify.com/s/files/1/0457/6487/0300/files/bastille_all_this_bad_blood_zip.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007366.bin
8f5fb8a1a9d2b763ed38eacda462725121a8426ffdf675b02ba4d6a56249160a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7366 5112 bytes
font_01_sfnt_off000084cd.bin
fc725dce104d9e31142e3a5caac918d888b2ad2e496bce22fe797105efadeada		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84CD 10108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.