Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccf07e3adc08ef72…

MALICIOUS

PDF

40.1 KB Created: 2020-08-30 03:06:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64392f8e29480bd6cb0b8365f64e8cc8 SHA-1: a2897419cfb26612f84155f0e9272afbad8b6ab1 SHA-256: ccf07e3adc08ef72bf2f8c6b2ae7e0ae115b8fde0ce875fd6b79ff7a6a0e9193
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, directing users to 'ttraff.cc'. The document body, though partially corrupted, contains text related to a worksheet and the malicious URL. This suggests a phishing attempt where the user is tricked into clicking the link under the guise of accessing educational material. The PDF also contains a link farm heuristic, indicating a broader attempt to distribute malicious links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=comparing+molecular+and+ionic+compounds+worksheet
    • https://cdn.shopify.com/s/files/1/0431/1603/6249/files/va_forms_4138.pdf
    • https://cdn.shopify.com/s/files/1/0433/9659/5861/files/free_rental_lease_agreement_form.pdf
    • https://cdn.shopify.com/s/files/1/0430/2720/2205/files/cardiac_tamponade_adalah.pdf
    • https://cdn.shopify.com/s/files/1/0433/0225/6795/files/70730591327.pdf
    • https://cdn.shopify.com/s/files/1/0431/5847/0807/files/arabic_calligraphy_workbook.pdf
    • https://static.usrfiles.com/ugd/73c254_b69ab21490884bb591a6558cfe68c5b6.pdf
    • https://static.usrfiles.com/ugd/b8c837_bf52e3c9035c4fc5ba97cdc78f330aad.pdf
    • https://static.usrfiles.com/ugd/33c377_a1df9c7b8e8f4a839dcfd406534be225.pdf
    • https://static.usrfiles.com/ugd/26938b_a8b5a6f00a0740ae819071d7aedaec61.pdf
    • https://static.usrfiles.com/ugd/7ea8bb_88df5de83c034c8fb21a3b6fbc99e521.pdf
    • https://static.usrfiles.com/ugd/f65518_e9571e704c9846229a8c3085d29f48ea.pdf
    • https://static.usrfiles.com/ugd/b8c837_036edfe4fecf43169e19388be727cec1.pdf
    • https://static.usrfiles.com/ugd/38bf1f_503d34529abc456397637f140ac1a9a6.pdf
    • https://static.usrfiles.com/ugd/b8c837_2d6608b009dd43d7ad134d5df9a149a7.pdf
    • https://static.usrfiles.com/ugd/696b8a_11c45ee7a15249149109fb065fd7a0cc.pdf
    • https://static.usrfiles.com/ugd/2e79a6_ed6e9000d93543b1872684f8040307cd.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a56.bin
903ccd737f5b1e53c302dc773c5d08ef4faca6d21c402fd5951a0633ea306e9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A56 5548 bytes
font_01_sfnt_off00006d11.bin
75c8422ea06435d8ac4940a7fe631168f6a5ccdc253715fcdc0a6308bfc6ddb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D11 10568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.