Malicious PDF — malware analysis report

Static analysis result for SHA-256 b03ff2919b5a557d…

MALICIOUS

PDF

77.0 KB Created: 2020-09-04 02:45:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 757ee50e2b9a72bcf3a5ecd87a1493ac SHA-1: 6980ef7b2e61edc15b732b177bfd6e13e9c3ae4a SHA-256: b03ff2919b5a557d209e05ecae7c0bd323eea911b81182d30c2091440b576e72
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to a known malicious URL. The embedded URL, 'https://ttraff.me/wix?keyword=agile+software+development+scrum+pdf', is presented in a context that suggests a lure for users interested in agile software development topics. The PDF also exhibits characteristics of a link farm, with numerous external links, further supporting a malicious intent to redirect users to potentially harmful sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=agile+software+development+scrum+pdf
    • https://cdn.shopify.com/s/files/1/0427/7354/5116/files/adrienne_rich_of_woman_born.pdf
    • https://cdn.shopify.com/s/files/1/0427/5005/0460/files/wabewosuserepilakopumaw.pdf
    • https://cdn.shopify.com/s/files/1/0428/0313/4627/files/25637510857.pdf
    • https://cdn.shopify.com/s/files/1/0437/3217/2951/files/14085422121.pdf
    • https://static.usrfiles.com/ugd/4cf28d_9f1cc7d04416412fb39a59a650f6af51.pdf
    • https://static.usrfiles.com/ugd/d9d1f5_64480c7590b341d6806c07013451fa16.pdf
    • https://static.usrfiles.com/ugd/cc089a_e57470698cac4df8bea07b5170cc27e4.pdf
    • https://static.usrfiles.com/ugd/cc1a03_a2c897508c954d239cebe6ec36dd0739.pdf
    • https://static.usrfiles.com/ugd/760101_c991a1c88abe4495a17c132e69f001f5.pdf
    • https://static.usrfiles.com/ugd/6908d7_e575e4b9de6140569a5ff7c7d2c11b3d.pdf
    • https://static.usrfiles.com/ugd/f90bad_efc1533877174f51a958eea910d5ff19.pdf
    • https://static.usrfiles.com/ugd/b8c837_e6074e6653574cd1ae5f8497ca3ed827.pdf
    • https://cdn.shopify.com/s/files/1/0429/6150/2362/files/91202159669.pdf
    • https://cdn.shopify.com/s/files/1/0429/1048/2588/files/weralenerarer.pdf
    • https://cdn.shopify.com/s/files/1/0431/0361/7173/files/90678758268.pdf
    • https://cdn.shopify.com/s/files/1/0461/0732/8675/files/perfect_deadlift_form_crossfit.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef81.bin
936299ab2d6bf8c72da51fef374338a7b98af214b8de5870bcfbf44480b90d72		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF81 5616 bytes
font_01_sfnt_off000102ab.bin
394cba683db78333003956c9293f58834421a0a9577eb74961cf05092ecf286f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102AB 10504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.