Malicious PDF — malware analysis report

Static analysis result for SHA-256 b314767fbf0057d8…

MALICIOUS

PDF

40.8 KB Created: 2020-08-07 07:54:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 72bc4a264feb5d33f250eb4bfd4ee1df SHA-1: 02ca7100c1eb70fb7118e3703b0f686b1261998b SHA-256: b314767fbf0057d85e6978e2d7e3f15f7a01aef94b5475381cff7c58a0de9128
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm and a direct link to a known malicious redirector, ttraff.cc. The document body, though heavily obfuscated, contains the same URL and keywords suggesting an attempt to disguise malicious content as educational material. The primary goal appears to be redirecting the user to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=7th+grade+math+common+core+standards+pdf
    • http://files.missskirtich.com/uploads/1/3/2/6/132695361/a7855f49457d0.pdf
    • http://files.dustinsmiththerapy.com/uploads/1/3/0/7/130776498/nejexosunip.pdf
    • http://temufuxo.ttsswfl.com/uploads/1/3/1/4/131482976/8191904.pdf
    • http://files.theerikhendricksmemorialfoundation.com/uploads/1/3/1/4/131483391/9430874.pdf
    • https://cdn.shopify.com/s/files/1/0437/0982/5176/files/pirawiximilegijo.pdf
    • https://cdn.shopify.com/s/files/1/0434/5511/9520/files/59837280021.pdf
    • https://cdn.shopify.com/s/files/1/0433/6871/0294/files/nys_thruway_traffic_cameras.pdf
    • https://cdn.shopify.com/s/files/1/0447/8933/4177/files/mathematical_reasoning_writing_and_proof.pdf
    • https://cdn.shopify.com/s/files/1/0438/8447/8632/files/mr._beer_brewing_instructions.pdf
    • https://cdn.shopify.com/s/files/1/0431/0204/4316/files/40613822531.pdf
    • https://cdn.shopify.com/s/files/1/0436/9163/8934/files/10589890.pdf
    • https://cdn.shopify.com/s/files/1/0432/9422/8630/files/gibujupakakaxes.pdf
    • https://cdn.shopify.com/s/files/1/0435/1269/2895/files/how_to_type_unicode.pdf
    • https://cdn.shopify.com/s/files/1/0433/9531/7927/files/angina_de_vincent_tratamiento.pdf
    • https://cdn.shopify.com/s/files/1/0429/3532/0735/files/apache_poi_template.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/14981909947.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000606a.bin
38f3cb6e49109825298a3281bc3184f6c0a2e66444be3f0093916cc2d6cb4f95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x606A 5524 bytes
font_01_sfnt_off0000730c.bin
998808b1a7bef56a8cbd56791e6afd5e30ca6071114b7e66605a260dee7ded57		 pdf-font-stream PDF embedded font (sfnt) at offset 0x730C 10356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.