Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc402cf6d9a2f48e…

MALICIOUS

PDF

39.8 KB Created: 2020-08-19 17:25:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 70a69a1fadf768417cf24bea1a7fe875 SHA-1: c19e21aed091c206603d02cadacbf8daabda0b7a SHA-256: bc402cf6d9a2f48ed60d9134dda5ddb3ca9283840aea35fc3e49a5b8a9f90428
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to external resources. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is used to obscure the final destination. The document body, though heavily obfuscated, contains text related to 'maths worksheets' and the malicious URL, suggesting a lure to trick users into clicking the link. The presence of numerous PDF links also indicates a link farm strategy, likely for SEO poisoning or to distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=maths+worksheets+ks1+year+2
    • http://files.niassestudios.com/uploads/1/3/0/8/130874318/b919e96e4ba.pdf
    • http://files.storytellersnz.org/uploads/1/3/2/6/132682929/jibaredadi-jamosojukafo-tupasedigodiw.pdf
    • http://files.fisherah.com/uploads/1/3/0/9/130969545/5654798.pdf
    • http://zoxodeme.jeffreytedford.com/uploads/1/3/2/7/132740214/6762ce7afc80b5.pdf
    • http://files.rhsglobalstudies.com/uploads/1/3/1/4/131437157/pemepabojajezoxu.pdf
    • https://cdn.shopify.com/s/files/1/0434/1514/2567/files/28465130533.pdf
    • https://cdn.shopify.com/s/files/1/0430/6649/1041/files/xomigaz.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vawis.pdf
    • https://cdn.shopify.com/s/files/1/0431/2272/0922/files/calling_in_the_reserves_vanilla_wow.pdf
    • https://cdn.shopify.com/s/files/1/0438/2919/8998/files/risk_management_in_software_project_management.pdf
    • https://cdn.shopify.com/s/files/1/0429/8709/4177/files/93051133703.pdf
    • https://cdn.shopify.com/s/files/1/0438/7209/2315/files/23916267397.pdf
    • https://cdn.shopify.com/s/files/1/0434/7002/8966/files/lagavifelurufirilipitekas.pdf
    • https://cdn.shopify.com/s/files/1/0430/4217/7181/files/28869203617.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e74.bin
d676c0077a84665219bde4041a389a8b7028c150d3d351f58ae29ca4757a5340		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E74 5188 bytes
font_01_sfnt_off00007038.bin
a164f08dd4997bf761e1b3a11f52bcb0490c22b5984a8a005288ba8df7e51d70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7038 10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.