Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9c72f555974fe02…

MALICIOUS

PDF

43.5 KB Created: 2020-08-24 19:22:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7ae6a702adfc4871cca3aa6034b696f8 SHA-1: 526172b228cdaaf545e4380d265d6ea99c2d560b SHA-256: a9c72f555974fe02f753f036b6f3b9c94cf00b8774d2e19468e788a6bce4c4c3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains embedded links that point to a known malicious redirector, ttraff.ru. The document body, though heavily obfuscated, appears to reference an admission form, suggesting a social engineering lure. The presence of numerous external PDF links, many hosted on Shopify, indicates a link farm designed to improve SEO for malicious content. The primary malicious URL is https://ttraff.ru/pify?keyword=st+aloysius+school+sadar+jabalpur+admission+form, which is likely used to redirect users to further malicious sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=st+aloysius+school+sadar+jabalpur+admission+form
    • http://gidawunu.leroykoh.com/uploads/1/3/0/7/130739616/c537641e18fe1.pdf
    • http://files.homemadenourishment.com/uploads/1/3/0/7/130739996/sabadufotefezi-foponuxuk.pdf
    • https://cdn.shopify.com/s/files/1/0440/8049/6792/files/24958022139.pdf
    • https://cdn.shopify.com/s/files/1/0434/4319/1960/files/can_t_hurt_me_portugues.pdf
    • https://cdn.shopify.com/s/files/1/0431/4837/8266/files/felelatodoxasarubuteloneb.pdf
    • https://cdn.shopify.com/s/files/1/0432/7289/6678/files/56857442088.pdf
    • https://cdn.shopify.com/s/files/1/0431/1325/0972/files/78934762656.pdf
    • https://cdn.shopify.com/s/files/1/0450/6681/3590/files/29583701927.pdf
    • https://cdn.shopify.com/s/files/1/0439/4611/5230/files/income_and_expenditure_account_template.pdf
    • https://cdn.shopify.com/s/files/1/0428/8702/0703/files/3963096997.pdf
    • https://cdn.shopify.com/s/files/1/0435/0086/3643/files/twitch_emote_unlocks.pdf
    • https://cdn.shopify.com/s/files/1/0434/8067/8553/files/66242025594.pdf
    • https://cdn.shopify.com/s/files/1/0430/5063/1319/files/razuwobiluzidomak.pdf
    • https://cdn.shopify.com/s/files/1/0440/5769/0262/files/7730402377.pdf
    • https://cdn.shopify.com/s/files/1/0438/3123/0624/files/airline_ticket_template_powerpoint.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069bb.bin
942844bfe5f869956faca1ea4f64968f62789cd49de2ad1be0daff377f7ccb33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69BB 5816 bytes
font_01_sfnt_off00007d5c.bin
bfca7f76f01738f9360b82c8fc6a4b73ca1ebc64878cad26b0604c3dbae7a2e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D5C 10396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.