Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf399fe1c9562774…

MALICIOUS

PDF

44.4 KB Created: 2020-08-20 13:39:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 717c222a184089a0d859b3ec896e5e02 SHA-1: 476edcc2b7b9ef11c513cc1918bef337aabeeef4 SHA-256: cf399fe1c9562774fe8a9d4350035453b11c3430103e9ff47bbcf6efd447b4b3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one critical heuristic identifying a link to known malicious redirector infrastructure at 'ttraff.com'. The document body, though partially corrupted, contains text related to 'Gallup q12 questions and answers', suggesting a lure. The presence of numerous external PDF links, many hosted on Shopify, indicates a link farm strategy, likely to improve SEO for malicious content or to obscure the ultimate destination. The primary malicious URL is https://ttraff.com/pify?keyword=gallup+q12+questions+and+answers.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=gallup+q12+questions+and+answers
    • http://files.thinkanomalous.com/uploads/1/3/1/8/131856012/6438661.pdf
    • https://cdn.shopify.com/s/files/1/0430/6416/4506/files/54286383627.pdf
    • https://cdn.shopify.com/s/files/1/0433/9197/5580/files/bendix_air_compressor_service_manual.pdf
    • https://cdn.shopify.com/s/files/1/0437/4275/7029/files/tukupebipuzu.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/77363931764.pdf
    • https://cdn.shopify.com/s/files/1/0433/5858/4986/files/jelemag.pdf
    • https://cdn.shopify.com/s/files/1/0437/7011/8306/files/34658096234.pdf
    • https://cdn.shopify.com/s/files/1/0435/7554/1919/files/tarascon_emergency_medicine.pdf
    • https://cdn.shopify.com/s/files/1/0428/0870/5187/files/73630078880.pdf
    • https://cdn.shopify.com/s/files/1/0431/7587/0613/files/62896482027.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/ruxejuvekega.pdf
    • https://cdn.shopify.com/s/files/1/0434/8890/3325/files/megaman_network_transmission.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000618e.bin
6f1deb60a2aa7e3a49ccb45d54288f5d4cee998bac7232da22f080572a20b30b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x618E 5268 bytes
font_01_sfnt_off0000739e.bin
67d1eec85e653712e125792a2cbfc8c268b6c7b17eb5fdef2da4e718da5fee0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x739E 10360 bytes
font_02_sfnt_off00009702.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9702 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.