Malicious PDF — malware analysis report

Static analysis result for SHA-256 d2d916502b7dd578…

MALICIOUS

PDF

51.4 KB Created: 2020-09-02 11:50:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 485ffa4db89ec132b3d060acf9794705 SHA-1: 2c6066268dbf30c509b4a143217605fa531311c8 SHA-256: d2d916502b7dd57834ac595b446e323cadc170662c63fe217f0ff6be851d0f3a
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=online+admission+form+for+bsc+in+gujarat'. This URL is presented within the document body, disguised as an admission form, and likely leads to a malicious payload or phishing site. The PDF also exhibits characteristics of a link farm, with numerous embedded links to external PDFs, some of which are hosted on static.usrfiles.com.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=online+admission+form+for+bsc+in+gujarat
    • https://static.usrfiles.com/ugd/fd30ac_5df8e7acc95f4c469b41f895a00c67e5.pdf
    • https://static.usrfiles.com/ugd/8dde66_af59c8e3335e4811b6bfbd8980a685de.pdf
    • https://static.usrfiles.com/ugd/83e24f_bb83faa5cc1b402e92150675edd5ead8.pdf
    • https://static.usrfiles.com/ugd/cec570_6af0de6ef1b944d1bdc00ac460f3ccad.pdf
    • https://static.usrfiles.com/ugd/b8c837_720f27dbbeea4f4584d63ef9ccc4cf04.pdf
    • https://cdn.shopify.com/s/files/1/0430/0177/4233/files/dozofuxosokawoborig.pdf
    • https://cdn.shopify.com/s/files/1/0431/6522/1028/files/28412319149.pdf
    • https://cdn.shopify.com/s/files/1/0447/9421/6599/files/germes_arobies_msophiles_totaux.pdf
    • https://cdn.shopify.com/s/files/1/0434/5593/8725/files/how_to_format_macbook_pro.pdf
    • https://cdn.shopify.com/s/files/1/0431/7223/3380/files/fatca_reporting_1_ffi.pdf
    • https://static.usrfiles.com/ugd/d5415a_ec9f58951573483fbdfa8ebd4c70b0b4.pdf
    • https://static.usrfiles.com/ugd/a72fa8_4458718317a8463aa8304eeb817a0735.pdf
    • https://static.usrfiles.com/ugd/ca9b0a_54f0191420f8430cba7dd83f0cb81d3c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007fbe.bin
e64cf0fa608e87d8638cd13da616649551599b553f22b8f528092fd447cfffff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FBE 5584 bytes
font_01_sfnt_off000092a6.bin
0e4174baeb260d8f6920191ab135765be21819d420b4319d89039d5b1f6d3258		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92A6 15024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.