Malicious PDF — malware analysis report

Static analysis result for SHA-256 c31814ca792d0f30…

MALICIOUS

PDF

44.2 KB Created: 2020-09-02 11:05:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4895e17630f0cb9e07fb8cdb28c3a687 SHA-1: aec254fb1e8c994f58d052bb4551a8c66c65a33e SHA-256: c31814ca792d0f30c10c8180784213d121217a8ae1c3ca44e9d934a955b2f831
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=career+paths+law+pdf'. This indicates an attempt to direct users to a potentially harmful website. The document body, though heavily obfuscated, also contains this URL, reinforcing the malicious intent. The presence of numerous other links, while many are benign, suggests a link farm or redirection strategy.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=career+paths+law+pdf
    • https://static.usrfiles.com/ugd/c3f88d_b4eff15c011d45b59d09fd9240e365d9.pdf
    • https://static.usrfiles.com/ugd/d01287_914ebea8a0224e64a2ccb731e26f7355.pdf
    • https://static.usrfiles.com/ugd/85c99c_8b9104fb9ad842ce92f7cd37d61c7d5e.pdf
    • https://static.usrfiles.com/ugd/41a0b6_c4e5567062084f459e04717da23734de.pdf
    • https://static.usrfiles.com/ugd/b8c837_6aaa9f68651048268ace09a762b54369.pdf
    • https://cdn.shopify.com/s/files/1/0432/0677/0843/files/rudram_chamakam_tamil_download.pdf
    • https://cdn.shopify.com/s/files/1/0463/4971/3569/files/androidx_cardview_example.pdf
    • https://static.usrfiles.com/ugd/d31907_c410ada5c8954a42bec97b6de2542e41.pdf
    • https://static.usrfiles.com/ugd/65b209_39e71c5fc0d24cb5ab7344f286e334a1.pdf
    • https://static.usrfiles.com/ugd/70094d_226533b09703428aa56c54c795c60327.pdf
    • https://static.usrfiles.com/ugd/d5415a_dcc9345993714d74a28dbc2bc6a3d366.pdf
    • https://static.usrfiles.com/ugd/b8c837_dd8067f5b2084320aa965e22ea9ccd1f.pdf
    • https://static.usrfiles.com/ugd/b8c837_68fc379e71e04c61acf0f4fe56d9f134.pdf
    • https://static.usrfiles.com/ugd/cc14e4_992e59602d604b27b2ddfca8b6d32af8.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006fdf.bin
322ea6539b7cdc661a55ba7dc2ee8f353a995d1ae32d7b00a8dd8b409c177487		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FDF 5128 bytes
font_01_sfnt_off00008159.bin
3ec4179c1e9a6448ead4f8a139c5421e5ac00992b517eddd855214d03ab86e41		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8159 10224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.