Malicious PDF — malware analysis report

Static analysis result for SHA-256 a67cb69b5bae5cee…

MALICIOUS

PDF

49.3 KB Created: 2020-09-11 12:55:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 465b331b6735b0c479ed2e65f06c73b7 SHA-1: 7aed3c9a77302427050de1b6bfc73d0ec1cb4731 SHA-256: a67cb69b5bae5ceeace448779effab3bd428df21000e4c3a668e94ce09cce7fe
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with at least two heuristics identifying it as a malicious redirector and a link farm. The document body, though partially corrupted, contains the URL 'https://ttraff.me/pify?keyword=yang+zing+link+format', which is flagged as a malicious redirector. The file's purpose appears to be directing users to potentially harmful external sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=yang+zing+link+format
    • http://beveb.andimcnair.com/uploads/1/3/2/7/132712461/1486931.pdf
    • http://lobidab.nkcecc.com/uploads/1/3/1/6/131606008/wubat.pdf
    • http://files.caninewatersportscanada.com/uploads/1/3/1/4/131454733/5365648.pdf
    • https://static.usrfiles.com/ugd/865d50_44a29833bb2c4aa194044222764d6470.pdf
    • https://static.usrfiles.com/ugd/d61b30_114a4e00c2074683afd9dbd9251041fe.pdf
    • https://static.usrfiles.com/ugd/b80405_e2121f2b0ccc4a25bcf65ef4db05f784.pdf
    • https://static.usrfiles.com/ugd/800b88_11d04c619cb140f5a814ccb03472c647.pdf
    • https://static.usrfiles.com/ugd/0fdb6d_a3e4010315c9495087585d46576ed5cc.pdf
    • https://static.usrfiles.com/ugd/ced2dc_c2546d5d8e6445eeaacc82985823efc8.pdf
    • https://static.usrfiles.com/ugd/fef806_2138860dcd6540aeb555aae3276236cc.pdf
    • https://cdn.shopify.com/s/files/1/0428/6880/1695/files/borax_bead_test.pdf
    • https://cdn.shopify.com/s/files/1/0436/0703/1966/files/36366726257.pdf
    • https://cdn.shopify.com/s/files/1/0431/8494/7357/files/82534874086.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c2a.bin
55a5906b1bf93e8c6e702b0caeaed74bece4518a105f88025a5ab0e546a33b89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C2A 6848 bytes
font_01_sfnt_off0000838b.bin
8ccd1b4d09af2f76d495acd41c79ec1b800b60a73d61229f85751781fbe6d6ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x838B 4984 bytes
font_02_sfnt_off00009476.bin
25b546b2b7c54614b024d1e72a44853f928a460bf6f8b170b38004d521b2b4f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9476 10476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.