Malicious PDF — malware analysis report

Static analysis result for SHA-256 bcdff76ba6a1b643…

MALICIOUS

PDF

38.7 KB Created: 2020-08-15 03:55:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5e07ccc8da5b416ec4872d713d6248af SHA-1: 8e8d6041d94c31b2161f5a98305d47f3997b35e8 SHA-256: bcdff76ba6a1b64326ee2809fcc18424f0e1a604ecfa96b89f4929fc5e44410d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/pify?keyword=converting+inches+to+feet+worksheet'. The document body, though heavily obfuscated, also contains this URL and other links, suggesting a lure to external content. The presence of a link farm heuristic further indicates malicious intent to distribute links. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=converting+inches+to+feet+worksheet
    • http://files.therossfarm.com/uploads/1/3/1/4/131437438/novifole-kebuzonugoj.pdf
    • https://cdn.shopify.com/s/files/1/0433/9050/1020/files/gujamomopekoxirurikin.pdf
    • https://cdn.shopify.com/s/files/1/0436/4363/3822/files/6124627170.pdf
    • https://cdn.shopify.com/s/files/1/0434/4355/2416/files/67542357777.pdf
    • https://cdn.shopify.com/s/files/1/0431/8186/7176/files/oriflame_catalogue_august_2020_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/6676/9051/files/42545380367.pdf
    • https://cdn.shopify.com/s/files/1/0431/4251/2802/files/panofagokeba.pdf
    • https://cdn.shopify.com/s/files/1/0429/1425/0905/files/merge_gratuit.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004cf5.bin
0884085ed01496ab1d77b1bdeff065e6f5f1e016cdd7485d8b9a1327369a6dbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4CF5 4928 bytes
font_01_sfnt_off00005dd2.bin
55f7ca0c01275e04b06d8cc964a4add65d2844de31137f5094645ebe72721762		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DD2 10072 bytes
font_02_sfnt_off0000805e.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x805E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.