Malicious PDF — malware analysis report

Static analysis result for SHA-256 c522494b6c80dc1d…

MALICIOUS

PDF

39.6 KB Created: 2020-08-16 21:20:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 62d60eca4e17e1b2e90424ce7f4f39fb SHA-1: 53cbd5502b9be7158c9be3c1be55ee4b13d1a29d SHA-256: c522494b6c80dc1dc14301dc379682022b45f3cac0acc56746e790cf6c4e9792
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to external PDF files hosted on Shopify. One critical heuristic identified a link to a known malicious redirector, 'https://ttraff.cc/pify?keyword=welding+math+worksheets', which is likely intended to lead the user to a malicious site. The document body, though heavily obfuscated, contains references to this redirector URL and other PDF links, suggesting a link farm or redirection tactic.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=welding+math+worksheets
    • http://files.id-alzo.com/uploads/1/3/1/8/131872015/xolofov.pdf
    • http://files.storygal.com/uploads/1/3/0/7/130776246/6512994.pdf
    • https://cdn.shopify.com/s/files/1/0429/9381/1619/files/nepebexon.pdf
    • https://cdn.shopify.com/s/files/1/0434/5207/2086/files/11989275771.pdf
    • https://cdn.shopify.com/s/files/1/0429/1638/0831/files/53035283725.pdf
    • https://cdn.shopify.com/s/files/1/0430/2556/3799/files/sivinibogeret.pdf
    • https://cdn.shopify.com/s/files/1/0428/8472/6943/files/routine_english_words_with_meaning.pdf
    • https://cdn.shopify.com/s/files/1/0439/1036/5339/files/attachments_rainbow_rowell_online.pdf
    • https://cdn.shopify.com/s/files/1/0432/2230/2888/files/65054145581.pdf
    • https://cdn.shopify.com/s/files/1/0433/8617/5651/files/tim_keller_every_good_endeavor.pdf
    • https://cdn.shopify.com/s/files/1/0434/6052/6246/files/whirlpool_cabrio_manual.pdf
    • https://cdn.shopify.com/s/files/1/0430/9201/7305/files/24638027316.pdf
    • https://cdn.shopify.com/s/files/1/0433/8342/3128/files/92664883236.pdf
    • https://cdn.shopify.com/s/files/1/0434/8575/7606/files/87915454138.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d31.bin
4c3dec0c36acee8108298a802e4834efa475af2660d7f35ff7db83e0106b6f22		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D31 5408 bytes
font_01_sfnt_off00006f7a.bin
c1fd0329e26753a9fa0fda30df184cdfe9ca597785948747bbbfab93006c6ea5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F7A 10008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.