Malicious PDF — malware analysis report

Static analysis result for SHA-256 cd6b05e3ca1aeb83…

MALICIOUS

PDF

43.2 KB Created: 2020-08-11 04:05:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4ef1762876e06eefe6accc421f8792bb SHA-1: df34cff9d433e2d6b6aa70b554edb8c3649c2cf3 SHA-256: cd6b05e3ca1aeb83cc38c5c9faf20fea287a3e4bf156da2f41de1d6d2bdcbe41
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass of external links, including a critical redirector link to ttraff.com. The document body, though heavily obfuscated, contains the text 'Behaviorismo metodol uevo pdf' and the malicious URL, suggesting a lure to a malicious site. The presence of numerous shopify.com links appears to be an attempt to blend in with benign content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=behaviorismo+metodol%25C3%25B3gico+pdf
    • http://files.megremedialmassage.com/uploads/1/3/1/8/131856353/5256246.pdf
    • http://mujesexu.courtneymillerpilates.com/uploads/1/3/2/3/132303382/puxomovebokarurexaki.pdf
    • http://files.kellybalmaceda.com/uploads/1/3/1/3/131380616/4070708.pdf
    • https://cdn.shopify.com/s/files/1/0430/7235/6509/files/aprende_a_leer_musica_peter_nickol.pdf
    • https://cdn.shopify.com/s/files/1/0439/9448/0798/files/69304205419.pdf
    • https://cdn.shopify.com/s/files/1/0428/8030/3270/files/kexapofitogevunejom.pdf
    • https://cdn.shopify.com/s/files/1/0427/9179/6902/files/english_for_business_studies_cambridge_third_edition.pdf
    • https://cdn.shopify.com/s/files/1/0434/7274/8710/files/bijolodu.pdf
    • https://cdn.shopify.com/s/files/1/0434/6442/5622/files/kajad.pdf
    • https://cdn.shopify.com/s/files/1/0438/9571/8040/files/20366156870.pdf
    • https://cdn.shopify.com/s/files/1/0436/0149/4179/files/goxurarilesavalamaraber.pdf
    • https://cdn.shopify.com/s/files/1/0441/2126/0184/files/buxenuwi.pdf
    • https://cdn.shopify.com/s/files/1/0435/9438/3522/files/21837118887.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/1297022614.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065bd.bin
ae0270081132fe1e44a516ce7fa10ae9ca53c5f7418646a7b6e096f701dffb8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65BD 5812 bytes
font_01_sfnt_off00007930.bin
7d95be45638335f3428ae6b70b0f16d741e516ec27d3c35926fa89eef45fa56d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7930 11568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.