Malicious PDF — malware analysis report

Static analysis result for SHA-256 d08ff399ed50174a…

MALICIOUS

PDF

73.4 KB Created: 2020-08-06 12:44:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 86584ebd351b045e19d28434d27054a4 SHA-1: f1be79a60f4dcf68798185a0112d16b76cff6218 SHA-256: d08ff399ed50174ae27d3d6584ced822c3ebe64ba91234857173d10cc1820f8b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, with one heuristic identifying a malicious redirector and another flagging a link farm. The primary malicious URL is https://ttraff.cc/pify?keyword=andhra+bhoomi+news+paper+pdf. The document body contains garbled text but includes references to 'Andhra bhoomi news paper pdf' and 'wkhtmltopdf', suggesting a lure document. The presence of many links, including those hosted on various domains, indicates an attempt to distribute malicious content or engage in SEO manipulation for malicious purposes.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=andhra+bhoomi+news+paper+pdf
    • http://vijagekip.laclassedejjonet.com/uploads/1/3/1/0/131071157/294fa11109d8.pdf
    • http://files.jannapaintings.com/uploads/1/3/1/6/131606261/8c6db618abf4.pdf
    • http://files.stpaulsfulda.org/uploads/1/3/1/3/131380889/d0e2ac97aa93946.pdf
    • http://files.michellemorrisonwrites.com/uploads/1/3/0/9/130969489/rufoz.pdf
    • http://files.thewondermart.shop/uploads/1/3/0/7/130739264/5ba55a98.pdf
    • https://cdn.shopify.com/s/files/1/0435/5512/7459/files/xiruzegilufupewipam.pdf
    • https://cdn.shopify.com/s/files/1/0430/5027/0869/files/wigogazugexurazifadakeb.pdf
    • https://cdn.shopify.com/s/files/1/0434/7055/3250/files/70652948692.pdf
    • https://cdn.shopify.com/s/files/1/0429/9735/0554/files/pdf_to_word_converter_online_free_download_software.pdf
    • https://cdn.shopify.com/s/files/1/0432/8649/5397/files/59042923058.pdf
    • https://cdn.shopify.com/s/files/1/0432/5238/3907/files/monawaxezomija.pdf
    • https://cdn.shopify.com/s/files/1/0432/1896/0545/files/carpe_diem_poema.pdf
    • https://cdn.shopify.com/s/files/1/0432/6542/5570/files/botixeji.pdf
    • https://cdn.shopify.com/s/files/1/0431/6587/6390/files/7_rights_of_medication_administration.pdf
    • https://cdn.shopify.com/s/files/1/0433/4583/8232/files/rexunakopoxaxogasesaxisa.pdf
    • https://cdn.shopify.com/s/files/1/0433/2689/8344/files/29694421210.pdf
    • https://cdn.shopify.com/s/files/1/0431/8307/9592/files/go_e9_ba_bb_e5_90_89.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000582f.bin
ca9ac00d961f50e9d743caff76cb00089c8a85017955b228519e768533c6b720		 pdf-font-stream PDF embedded font (sfnt) at offset 0x582F 5472 bytes
font_01_sfnt_off00006a9f.bin
ff8289fcab20b7b81f5dc7c47458689637225d7099c48932a46d6898d6123f6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A9F 2656 bytes
font_02_sfnt_off000075a4.bin
09dc4d395b0e6ffb05b25f92be1c8d47c9e00b3e3189601717759dc78185961c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75A4 4540 bytes
font_03_sfnt_off00008447.bin
b5c6b6e0c9ada0bf1c6b02372d38a6194b0fc304f51b15768a03b7bd417def48		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8447 3048 bytes
font_04_sfnt_off00009056.bin
18b250f24057ce91e4a59b25c1eec79fa8b4d7e2cb9f6c0de02c7e032a072fd4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9056 2328 bytes
font_05_sfnt_off00009b0b.bin
b2b70dd583c1db7f26516e5b5ba61ae100e913c33291c5d04c2b8a2fd36b783b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B0B 3680 bytes
font_06_sfnt_off0000a97c.bin
5fd53e2058c4f5d98b70161d670f1e42036942552fef68ac845a5e47e2d7f715		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA97C 2604 bytes
font_07_sfnt_off0000b49c.bin
87016e8933cc862d1d188edfbee698abcff8178ed3d6b510b61737ee02f60284		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB49C 4336 bytes
font_08_sfnt_off0000c23c.bin
fe424088b0c0e29fd8e4958dd619e1b3c6bab5536a274b5fe2328ff8a5b71136		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC23C 9784 bytes
font_09_sfnt_off0000e3f0.bin
5c971579a9757ec78140e64ead599d54fdf12b60b3cf2ea948461a3b0714b55c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3F0 16364 bytes
font_10_sfnt_off0000fa41.bin
0cfaca4bb5f89c70df9740475698f7723c60fa4934566cb717e926ccd4576699		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA41 3224 bytes
font_11_sfnt_off00010721.bin
89aa5ef39ecd647c310fa7d43209dd0d208a608e38381102f2e40635d4f29b56		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10721 2608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.