Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae9bf1828c380537…

MALICIOUS

PDF

54.4 KB Created: 2020-08-12 06:50:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9321b2da59987354fcae50af656c82ec SHA-1: f880cf531b478343e3550fd862563d8bf5932864 SHA-256: ae9bf1828c380537f532a1ba5a2d1753fcf6759760a08fef2d2bff5c323296dd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=bsc+1st+chemistry+notes+pdf'. This indicates the document's primary purpose is to redirect users to potentially harmful content. The presence of a large number of external PDF links, many hosted on Shopify, suggests a link farm or SEO poisoning tactic to improve search engine visibility for malicious content. No scripts were extracted, but the embedded URLs and redirector link are strong indicators of a phishing or malware distribution attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bsc+1st+chemistry+notes+pdf
    • http://minonigu.ridgeap.com/uploads/1/3/0/8/130813577/lajejogap_xudasimikale.pdf
    • http://balesagu.marcodim.com/uploads/1/3/1/4/131453574/f47295d6ac66d0e.pdf
    • http://bugaka.prosewizard.com/uploads/1/3/1/6/131636826/kebevuved-sanojibafejozu.pdf
    • https://cdn.shopify.com/s/files/1/0432/2574/3515/files/52280003752.pdf
    • https://cdn.shopify.com/s/files/1/0439/5941/9038/files/zebulirofupesoxipofes.pdf
    • https://cdn.shopify.com/s/files/1/0432/3069/1496/files/10470600250.pdf
    • https://cdn.shopify.com/s/files/1/0429/2483/4975/files/nopep.pdf
    • https://cdn.shopify.com/s/files/1/0429/6255/0940/files/unity_2020_augmented_reality_projects.pdf
    • https://cdn.shopify.com/s/files/1/0431/1610/1793/files/oracle_bcs_question_bank.pdf
    • https://cdn.shopify.com/s/files/1/0438/8962/3208/files/rinutatepatedotavinedad.pdf
    • https://cdn.shopify.com/s/files/1/0434/0521/3847/files/84339996459.pdf
    • https://cdn.shopify.com/s/files/1/0429/4852/6246/files/kaden.pdf
    • https://cdn.shopify.com/s/files/1/0435/1007/1460/files/statistics_mcclave_13th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0432/5706/9736/files/sanuzezubu.pdf
    • https://cdn.shopify.com/s/files/1/0436/8482/3205/files/vobopeduwibitisis.pdf
    • https://cdn.shopify.com/s/files/1/0430/5285/9543/files/8017165449.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006901.bin
47eb92d35b353cef64a20bcfcb5c92a2f8ca6b0a67ebbb47ee73b86c436b229e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6901 5356 bytes
font_01_sfnt_off00007b1a.bin
3ec5eaebde275098412d8dff0e1045b52b4c0e5a23abac5807418a6329e69f43		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B1A 3204 bytes
font_02_sfnt_off0000880a.bin
026de1076dad6614fee7b4839f066e743e4238b5ddea94259138cfcd618330b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x880A 2320 bytes
font_03_sfnt_off0000925c.bin
ed08b184405af967da5a8a78eec0a3d096c4b8784e0dd4a1a0f64d6b38bdda30		 pdf-font-stream PDF embedded font (sfnt) at offset 0x925C 10500 bytes
font_04_sfnt_off0000b620.bin
7a7e0f9cb89785dee93ecfbcc78ef93b5a18a5022886c2d5a0bf15d9412c15a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB620 16224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.