Malicious PDF — malware analysis report

Static analysis result for SHA-256 a502209c5f8e7fe8…

MALICIOUS

PDF

40.1 KB Created: 2020-08-15 15:59:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5e85f7a20bd3746d3b5f20907ea3018d SHA-1: a84d6e4bf6fe65c580831b61620e2b649d38fed6 SHA-256: a502209c5f8e7fe8ebe4c1fcb441e827ed024bf009b67c77ec1ba14594e56c71
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with one critical link pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the same malicious URL, suggesting an attempt to disguise malicious activity as educational content. The primary intent appears to be directing users to the `ttraff.com` domain for further malicious actions.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=ncert%20science%20exemplar%20class%209%20solutions%20pdf
    • http://files.cresapsociety.com/uploads/1/3/0/9/130969653/8677746.pdf
    • http://files.yoganut.org/uploads/1/3/0/7/130739918/fewasamu_buxudapazegigiw_zifatifilatab_gejuziju.pdf
    • http://files.joeyessmaracing.com/uploads/1/3/2/6/132681294/darike_marotetitiji.pdf
    • https://cdn.shopify.com/s/files/1/0437/9086/0437/files/jurnal_tentang_titrasi_kompleksometri.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/logopazunu.pdf
    • https://cdn.shopify.com/s/files/1/0433/4944/2715/files/sound_of_silence_text.pdf
    • https://cdn.shopify.com/s/files/1/0433/6202/5624/files/network_management_and_administration_book.pdf
    • https://cdn.shopify.com/s/files/1/0432/0677/0843/files/archie_jumbo_comics.pdf
    • https://cdn.shopify.com/s/files/1/0434/5197/3799/files/drawstring_c_rotatetransform.pdf
    • https://cdn.shopify.com/s/files/1/0432/6676/9051/files/98122872332.pdf
    • https://cdn.shopify.com/s/files/1/0428/6152/7206/files/clinical_virology_richman.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/34996744553.pdf
    • https://cdn.shopify.com/s/files/1/0432/6113/2962/files/50204300995.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005da3.bin
823508f42af9e2161ddec37c901ba752607f73143f8eb71e4195d48cce20f80b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DA3 5492 bytes
font_01_sfnt_off00007039.bin
63f6ffce83385d6f3c09f0175ed23eaa265c5b94a7b6114fd986f7da13409db9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7039 10312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.