Malicious PDF — malware analysis report

Static analysis result for SHA-256 b246d81b0675a317…

MALICIOUS

PDF

42.3 KB Created: 2020-08-13 22:05:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 467c710c6711ef9edf0f40ac24b1e098 SHA-1: 647e962533e6a8d938bb161123fb9b3b91ffc835 SHA-256: b246d81b0675a3170878e47043745b85c9461cd0318525827a122000e939b49d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a deceptive lure related to the Bhagavad Gita, which redirects users to a malicious URL (https://ttraff.cc/pify?keyword=bhagavad+gita+chapter+1+sloka+pdf). The document also exhibits characteristics of a link farm, embedding numerous external links, many of which point to Shopify domains hosting other PDFs. No scripts were extracted, but the primary malicious activity appears to be the redirection to the ttraff.cc domain.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bhagavad+gita+chapter+1+sloka+pdf
    • http://niropub.sheridanwebsite.com/uploads/1/3/1/4/131406686/faziputevaguw_wadewurep_nakuwipilo.pdf
    • http://files.riquelle.com/uploads/1/3/0/7/130739490/5658607.pdf
    • http://rebiw.hautellc.com/uploads/1/3/0/8/130814347/2195262.pdf
    • http://files.saragrayart.com/uploads/1/3/0/7/130775137/votuzoji_gagetepimabulig_sagojegej.pdf
    • https://cdn.shopify.com/s/files/1/0435/3861/2378/files/98258146600.pdf
    • https://cdn.shopify.com/s/files/1/0438/2598/7734/files/85115134274.pdf
    • https://cdn.shopify.com/s/files/1/0434/9889/7574/files/42416255025.pdf
    • https://cdn.shopify.com/s/files/1/0437/1903/2987/files/oxford_dictionary_free.pdf
    • https://cdn.shopify.com/s/files/1/0432/2190/9662/files/74101746330.pdf
    • https://cdn.shopify.com/s/files/1/0429/0733/6867/files/bee_mp3_com.pdf
    • https://cdn.shopify.com/s/files/1/0437/3292/6615/files/cushman_truckster_service_manual.pdf
    • https://cdn.shopify.com/s/files/1/0440/4566/4406/files/kaufland_katalog.pdf
    • https://cdn.shopify.com/s/files/1/0434/4460/0999/files/xosisoxumabuvufasopewated.pdf
    • https://cdn.shopify.com/s/files/1/0427/7298/8071/files/71326010099.pdf
    • https://cdn.shopify.com/s/files/1/0428/0628/0355/files/muridulagonuxa.pdf
    • https://cdn.shopify.com/s/files/1/0433/4357/7246/files/20550533221.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065bf.bin
7482247e9d87cae006d09e2443aba7a03f8bc9c1240fa53425beaef5adb0116d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65BF 5640 bytes
font_01_sfnt_off000078fd.bin
e105291ed9b3f32b9968d47dc85ca7eed676a7a5f01f90f29f2453b91415a7d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78FD 9868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.