Malicious PDF — malware analysis report

Static analysis result for SHA-256 b0335a2fa3074c04…

MALICIOUS

PDF

49.0 KB Created: 2020-08-27 20:03:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 68d6ca11e81e1f7b39b54cd030f88c6a SHA-1: c6d33d07da3f9e0232bfa2ade6243ac03a07d529 SHA-256: b0335a2fa3074c0458e7b247bc5fefd879d58365b3ab88223254483f807c3c2d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a redirector service (ttraff.com) that is known to host malicious content. The document body itself contains text related to 'Asme boiler and pressure vessel code sectionviii pdf', likely a lure to entice users to click the malicious link. The primary malicious IOC is the redirector URL, which is designed to lead users to further malicious sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=asme+boiler+and+pressure+vessel+code+section+viii+pdf
    • http://vulom.konidarissales.com/uploads/1/3/1/6/131606758/defasuwozafeju.pdf
    • http://files.thecomputershophv.com/uploads/1/3/1/4/131411199/bbe79f1c489f80.pdf
    • http://gotali.starkhowell.com/uploads/1/3/2/3/132302857/0e6fee7b0e2438a.pdf
    • https://cdn.shopify.com/s/files/1/0431/9805/4558/files/juzafak.pdf
    • https://cdn.shopify.com/s/files/1/0434/0380/4839/files/tasonuwurutudadotipe.pdf
    • https://cdn.shopify.com/s/files/1/0432/8990/3259/files/vikerenavivuboguzurewelaf.pdf
    • https://cdn.shopify.com/s/files/1/0459/6698/3335/files/dictionary_apk_for_android.pdf
    • https://cdn.shopify.com/s/files/1/0439/5096/4904/files/durga_saptashati_gita_press_download.pdf
    • https://cdn.shopify.com/s/files/1/0434/5357/9430/files/rupadare.pdf
    • https://cdn.shopify.com/s/files/1/0431/1253/0081/files/82734844135.pdf
    • https://cdn.shopify.com/s/files/1/0431/6902/2109/files/b._ed_cet_question_paper_download.pdf
    • https://cdn.shopify.com/s/files/1/0435/6263/1326/files/steiner_waldorf_curriculum.pdf
    • https://cdn.shopify.com/s/files/1/0430/4338/9597/files/xolewonati.pdf
    • https://cdn.shopify.com/s/files/1/0428/4760/0807/files/9808632838.pdf
    • https://cdn.shopify.com/s/files/1/0432/1397/9812/files/gubalutepibakazuwutalen.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000081f8.bin
bdf4b48331bef1b362d58bde1f1024b3c672808d9b9bf679b0a16f20a11e1712		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81F8 5488 bytes
font_01_sfnt_off00009479.bin
57af971d5d13e82dc57528b725d9f5d544015eb6ae887f660b32839fb00816a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9479 9980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.