Malicious PDF — malware analysis report

Static analysis result for SHA-256 b3e5050aeb5dfc90…

MALICIOUS

PDF

72.0 KB Created: 2020-08-09 09:08:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ff9fde1eab197d2a073a4e47c2fd798f SHA-1: 4669945988151fb29ee3995aac92a2b1964ddeb0 SHA-256: b3e5050aeb5dfc906dd9645cb082d9581be6aba5f049e2d384008ead0092f529
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains multiple heuristic firings indicating malicious redirection and a link farm. The primary malicious URL, 'https://ttraff.cc/pify?keyword=beethoven+virus+ost+pdf', is a known malicious redirector. The document body, though heavily obfuscated, contains this URL, suggesting it is the intended lure. The presence of numerous external PDF links, many pointing to benign content, is a common tactic to mask the malicious link within a larger set of seemingly legitimate resources.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=beethoven+virus+ost+pdf
    • http://titafum.apdcentraloffice.com/uploads/1/3/2/7/132741334/sanaroxalox.pdf
    • http://files.msjacksonselementaryclass.com/uploads/1/3/0/8/130874055/7206d.pdf
    • http://wakoleg.laplatabaptistchurch.org/uploads/1/3/0/7/130776791/647339.pdf
    • http://files.uclramsay.com/uploads/1/3/0/8/130874050/9742287.pdf
    • https://cdn.shopify.com/s/files/1/0437/7047/8746/files/printable_monthly_attendance_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0435/6371/2671/files/juruxenafe.pdf
    • https://cdn.shopify.com/s/files/1/0438/3080/4637/files/aicha_paroles.pdf
    • https://cdn.shopify.com/s/files/1/0439/8622/3262/files/todakomekomaxovupaxiriv.pdf
    • https://cdn.shopify.com/s/files/1/0432/4923/8178/files/types_of_telemetry_system.pdf
    • https://cdn.shopify.com/s/files/1/0434/0465/6790/files/26503202385.pdf
    • https://cdn.shopify.com/s/files/1/0430/8631/5682/files/49113619456.pdf
    • https://cdn.shopify.com/s/files/1/0438/5990/2624/files/currency_and_capital_of_different_countries.pdf
    • https://cdn.shopify.com/s/files/1/0431/6885/8280/files/79461992334.pdf
    • https://cdn.shopify.com/s/files/1/0427/8714/3839/files/vonarasubodubod.pdf
    • https://cdn.shopify.com/s/files/1/0435/2756/9576/files/converter_to_autocad_free_online.pdf
    • https://cdn.shopify.com/s/files/1/0432/0811/4340/files/kiwudifavakamu.pdf
    • https://cdn.shopify.com/s/files/1/0429/8558/6841/files/fokakofudorunoruguluzulo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000bf67.bin
5076a113f13481eae540355ba8e225c888cf7e090af8eb9d77d7a3cde3396b4d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBF67 8348 bytes
font_00_sfnt_off000095df.bin
c117caa8cb8b46cc0f58ac70384def155fc12e12f7e48d88cd669f9d5433dd8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95DF 7444 bytes
font_01_sfnt_off0000ae6a.bin
f449102d31b8df64c2f720ec86ca7e7b6af63e25abcc6e62f8a3098b877ac583		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAE6A 4996 bytes
font_03_sfnt_off0000d6eb.bin
9c6323c9b4da1565b1afc3adfab904717e832288b55e5df586d356e03d1f2202		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD6EB 11636 bytes
font_04_sfnt_off0000fd23.bin
ea75db71c9df7250347a03039f742fcd189f5fc3f08964e696816fa8b5227073		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD23 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.