Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3248beac29526b4…

MALICIOUS

PDF

43.2 KB Created: 2020-08-04 05:52:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 65df8b83f5fce4ffde9bc351ba693e40 SHA-1: be10595d666401af5620c0686adf0d94c669b848 SHA-256: d3248beac29526b4f6b8a55b23fed975fcef889b590dc29fc5cef441be16cfb5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=6th+grade+vocabulary+packet+pdf'. This indicates a phishing or scam attempt where the document's content is a lure. The PDF also contains a large number of external links, many hosted on Shopify, suggesting a link farm or SEO manipulation tactic to distribute malicious content. No scripts were extracted, but the presence of the malicious redirector is sufficient evidence of malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=6th+grade+vocabulary+packet+pdf
    • http://files.ernesthatton.com/uploads/1/3/1/4/131453414/f8e2329b13.pdf
    • http://jidereje.oberlinsfc.com/uploads/1/3/0/7/130738524/54bcd6b58b.pdf
    • http://files.devolvedperspective.com/uploads/1/3/1/6/131637131/4100637.pdf
    • https://cdn.shopify.com/s/files/1/0432/7201/1931/files/95298300261.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/8861538602.pdf
    • https://cdn.shopify.com/s/files/1/0429/1851/0745/files/45800506939.pdf
    • https://cdn.shopify.com/s/files/1/0432/2908/5859/files/67195723610.pdf
    • https://cdn.shopify.com/s/files/1/0435/9513/7181/files/sony_kdl40r510c_manual.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/34993807018.pdf
    • https://cdn.shopify.com/s/files/1/0431/7321/6411/files/gajavugoledevalawa.pdf
    • https://cdn.shopify.com/s/files/1/0439/3605/5454/files/land_claim_block_7_days_to_die.pdf
    • https://cdn.shopify.com/s/files/1/0434/4207/7852/files/space_engineers_server_linux.pdf
    • https://cdn.shopify.com/s/files/1/0431/0453/4692/files/41917197775.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d5a.bin
7633a4eda69f0edd69510cd52109e3c5c98d3b6ad2d99dbd7c3222334a0a7ab4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D5A 5392 bytes
font_01_sfnt_off00006fd0.bin
bea5716bc9ee424fecb2686c4eadd284f7dcf2ece4012b25fbc7b8170ee29d38		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FD0 10088 bytes
font_02_sfnt_off0000923a.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x923A 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.