Malicious PDF — malware analysis report

Static analysis result for SHA-256 cfcfd7d2c6a97b39…

MALICIOUS

PDF

51.9 KB Created: 2020-08-30 21:16:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7179c243028d33da761cab59933cb8ec SHA-1: b4a4033f95d3ef0b15c2ef389c381984c3f52f9d SHA-256: cfcfd7d2c6a97b393ce346fc155f0007e29e706a365efe05c3bc78ca34873d14
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, many of which point to a redirector service. One such link, 'https://ttraff.com/wix?keyword=inji+iduppazhagi+free+download', is identified as malicious. The document body, though heavily obfuscated, contains this same URL, suggesting the primary intent is to redirect the user to malicious content. The file was generated by wkhtmltopdf, a tool often abused for creating malicious documents.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=inji+iduppazhagi+free+download
    • https://cdn.shopify.com/s/files/1/0441/1038/1208/files/adjective_order_exercises_with_answers.pdf
    • https://cdn.shopify.com/s/files/1/0428/9983/2995/files/sogevadopaw.pdf
    • https://cdn.shopify.com/s/files/1/0435/8828/8670/files/genetic_mutations_pogil_answers.pdf
    • https://cdn.shopify.com/s/files/1/0435/0764/6630/files/clean_code_by_robert_martin.pdf
    • https://cdn.shopify.com/s/files/1/0433/1097/3083/files/dulimenidapixumagev.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/41230052817.pdf
    • https://cdn.shopify.com/s/files/1/0437/5973/0839/files/basketball_court_diagram_with_labels.pdf
    • https://cdn.shopify.com/s/files/1/0437/5638/8510/files/28658475371.pdf
    • https://static.usrfiles.com/ugd/9904c2_6667e46812544a0db42e390f385ea192.pdf
    • https://static.usrfiles.com/ugd/6116da_613c23d0633e4904a9ce287ff5d060a5.pdf
    • https://static.usrfiles.com/ugd/65b209_b52f07f1796e40dcac325dab94c012ca.pdf
    • https://cdn.shopify.com/s/files/1/0427/6345/2583/files/74807528225.pdf
    • https://cdn.shopify.com/s/files/1/0430/3601/6802/files/51751908583.pdf
    • https://cdn.shopify.com/s/files/1/0431/9064/8996/files/63123535998.pdf
    • https://cdn.shopify.com/s/files/1/0433/4705/0661/files/golongan_bronkodilator.pdf
    • https://cdn.shopify.com/s/files/1/0435/2871/6439/files/10741535520.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000830f.bin
654edc8941582306ffd0842a87f821c375592b46271d2e5b804a56cd501d66ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x830F 5280 bytes
font_01_sfnt_off0000951d.bin
e9dab92ad29b34bbba734bd1cfaa772d67128a8475496a4793677eef316f82b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x951D 14320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.