Malicious PDF — malware analysis report

Static analysis result for SHA-256 b3fff83c3d3c1790…

MALICIOUS

PDF

44.5 KB Created: 2020-08-11 18:46:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3b579a8fbd0932f328ee38eb1dfcfa4f SHA-1: b55a68384489b26e90d7342ae8388ee2b7a95d22 SHA-256: b3fff83c3d3c179072aba4edf07b28ad95310c14a2399100014f895132bf4a2f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to `https://ttraff.cc/pify?keyword=ganesh+atharvashirsha+in+tamil+pdf`. Additionally, another critical heuristic indicates a PDF link farm, with multiple embedded URLs. The document body, though heavily obfuscated, contains references to the redirector URL and several other potentially malicious PDF links. This suggests the primary goal is to redirect the user to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=ganesh+atharvashirsha+in+tamil+pdf
    • http://mexavebo.thegreatescape4u.com/uploads/1/3/0/7/130739695/7840474.pdf
    • http://files.tiffanyphillipsrn.com/uploads/1/3/0/8/130814298/vobajulumixoj_jedekukoru.pdf
    • http://files.heartofillinoisorff.org/uploads/1/3/1/3/131379371/9586210.pdf
    • http://gogov.laniefrick.com/uploads/1/3/0/7/130776644/6a79b.pdf
    • https://cdn.shopify.com/s/files/1/0429/3397/7255/files/69828181736.pdf
    • https://cdn.shopify.com/s/files/1/0432/0008/6180/files/benanodelitanijegenu.pdf
    • https://cdn.shopify.com/s/files/1/0430/4686/3005/files/hyperbole_and_a_half.pdf
    • https://cdn.shopify.com/s/files/1/0441/1867/1512/files/casos_practicos_de_auditoria_administrativa.pdf
    • https://cdn.shopify.com/s/files/1/0432/9875/0629/files/46928615154.pdf
    • https://cdn.shopify.com/s/files/1/0433/5570/1398/files/xisusinojulolobegu.pdf
    • https://cdn.shopify.com/s/files/1/0430/0174/1463/files/99586145614.pdf
    • https://cdn.shopify.com/s/files/1/0428/6640/9639/files/70368815595.pdf
    • https://cdn.shopify.com/s/files/1/0429/6278/0311/files/murokofupapofedeluxiwa.pdf
    • https://cdn.shopify.com/s/files/1/0433/4492/0734/files/42576626760.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006fee.bin
000bfb2869b11b308c4f3178b3d02e4c35040fd64081e17acc388260d2647bdf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FEE 5372 bytes
font_01_sfnt_off00008215.bin
d4f9dd1fed3d8ae145b16fa04c5cd519c9964100f03b58be113554a8aa7df3ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8215 10340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.