Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3b2c541e303cd3a…

MALICIOUS

PDF

53.8 KB Created: 2020-08-04 09:50:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 95716da6c5f12ca64812a278a7797aad SHA-1: bc024c9c3f79be2f30a1ee8fb84f1679134f8fb1 SHA-256: d3b2c541e303cd3ace9bd8de4787b40ad44b836a072b275d9cca87f5824e2773
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a lure related to a spelling bee competition, which is a common social engineering tactic. It embeds multiple links, with a critical heuristic identifying a link to a known malicious redirector at 'https://ttraff.cc/pify?keyword=words+list+for+spelling+bee+competition+pdf'. This redirector likely leads to further malicious content or exploits. The document body also contains numerous other URLs, many pointing to Shopify, likely part of a link farm to improve search engine ranking for malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=words+list+for+spelling+bee+competition+pdf
    • http://files.silviabattista.com/uploads/1/3/1/4/131438161/juvevef.pdf
    • http://files.secondchancepetsponsors.org/uploads/1/3/1/3/131379567/2170554.pdf
    • http://dasesex.montessoriassothailand.org/uploads/1/3/1/8/131856161/zafepigisew_dewevulezi_poparekugatif.pdf
    • https://cdn.shopify.com/s/files/1/0434/3165/7638/files/simafakuvugitis.pdf
    • https://cdn.shopify.com/s/files/1/0434/1297/9879/files/tomamopekopimaxamelulikib.pdf
    • https://cdn.shopify.com/s/files/1/0434/7330/5750/files/guruk.pdf
    • https://cdn.shopify.com/s/files/1/0430/6026/5117/files/xasunupuromubodibezividem.pdf
    • https://cdn.shopify.com/s/files/1/0431/1128/4893/files/43495211103.pdf
    • https://cdn.shopify.com/s/files/1/0434/5744/6038/files/67842750304.pdf
    • https://cdn.shopify.com/s/files/1/0433/8706/0375/files/86277828208.pdf
    • https://cdn.shopify.com/s/files/1/0428/9154/2681/files/87810739966.pdf
    • https://cdn.shopify.com/s/files/1/0431/6299/2799/files/49141224233.pdf
    • https://cdn.shopify.com/s/files/1/0435/3222/2615/files/lonafojikumumivomogusiw.pdf
    • https://cdn.shopify.com/s/files/1/0430/8631/5684/files/download_adobe_reader_gratis.pdf
    • https://cdn.shopify.com/s/files/1/0431/5948/6626/files/jolewirunijukigibiwasor.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009769.bin
c854f34f8fa683f1d6d0f964c4428c7df037f02aaef30d4c845f4d2a1c66e49a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9769 5420 bytes
font_01_sfnt_off0000a9d0.bin
99f6e7ecd4b1fea064e3a3ae3ae436fdffb9aaeb7157986a77abae8cf199170e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA9D0 9424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.