Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6d4382490b39dc4…

MALICIOUS

PDF

97.5 KB Created: 2020-08-08 03:05:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6dcc23b1f5098bf2ba815858921d01e9 SHA-1: 6d9ccdbdee54c178e0912ee1760b94eccc225566 SHA-256: c6d4382490b39dc4fc5ee71ab90a2d7f936d2e9d6848b77edb891129f8e3715e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.cc'. This URL is embedded within the document body, suggesting an attempt to direct the user to a malicious site. The presence of a PDF link farm heuristic further indicates a campaign to generate traffic to external resources. No scripts were extracted, but the primary attack vector appears to be the malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=b.+arch+paper+jee+mains+pdf
    • http://files.pgx-jo.com/uploads/1/3/1/4/131437561/teketafufanunev.pdf
    • http://files.tucsonoldpueblodar.org/uploads/1/3/1/3/131383821/zavopuja-defani.pdf
    • http://files.aedutah.com/uploads/1/3/1/4/131454850/8928521.pdf
    • http://files.ottosconespoint.com/uploads/1/3/0/9/130969151/vurutugasitenugi.pdf
    • https://cdn.shopify.com/s/files/1/0427/6387/8566/files/36876619301.pdf
    • https://cdn.shopify.com/s/files/1/0431/8812/5857/files/lotobab.pdf
    • https://cdn.shopify.com/s/files/1/0432/9917/6612/files/21839238744.pdf
    • https://cdn.shopify.com/s/files/1/0430/3699/9842/files/woxadepe.pdf
    • https://cdn.shopify.com/s/files/1/0427/7354/5116/files/purpose_driven_life_study_guide_free.pdf
    • https://cdn.shopify.com/s/files/1/0432/4222/5831/files/mipimipig.pdf
    • https://cdn.shopify.com/s/files/1/0428/5143/4659/files/zekugenimasukoruxibaze.pdf
    • https://cdn.shopify.com/s/files/1/0434/2844/6358/files/21549212137.pdf
    • https://cdn.shopify.com/s/files/1/0439/0099/3691/files/91622310108.pdf
    • https://cdn.shopify.com/s/files/1/0431/6217/3602/files/kulawa.pdf
    • https://cdn.shopify.com/s/files/1/0432/2859/4344/files/54236060237.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/famulogux.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014335.bin
82fbb50a251f26950a6823c074aa437d51f21a7de893cf86ab12eced740c6b30		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14335 5520 bytes
font_01_sfnt_off000155dc.bin
eb19c7bc4283d2de7916b9d213db4d95a590c993cbe9bf862d9800182db5cfab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x155DC 10344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.