Malicious PDF — malware analysis report

Static analysis result for SHA-256 d587bfab8bfe58a9…

MALICIOUS

PDF

80.9 KB Created: 2020-08-23 04:23:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 687631a2412ed68e1fb9f1d493f45243 SHA-1: bb7ea903b36abf105f2c71b6cf7b445f0344a75d SHA-256: d587bfab8bfe58a91be6f16fc7c63c1e3f9b5263d9b11958e64e5315f3a1669c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm and a primary redirector URL, indicating a phishing or scam attempt. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK firing confirms the redirector at https://ttraff.com/pify?keyword=ascus+canadian+guidelines is malicious. The document body, though heavily obfuscated, contains the same redirector URL, reinforcing its role in the attack. The presence of numerous embedded links to external PDFs suggests a coordinated effort to distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=ascus+canadian+guidelines
    • http://zoxozal.livingskyfarms.ca/uploads/1/3/0/8/130814297/8f25d1513a6f.pdf
    • http://lujakovos.huckleberryherbs.com/uploads/1/3/0/7/130775840/ninamekuredo.pdf
    • http://files.rockyridgefarm.org/uploads/1/3/0/8/130814714/9648427.pdf
    • http://files.amateursubiepros.com/uploads/1/3/2/7/132710794/1747862.pdf
    • https://cdn.shopify.com/s/files/1/0431/4054/6714/files/68748711903.pdf
    • https://cdn.shopify.com/s/files/1/0429/9620/3679/files/nabusuxajobikusaxobak.pdf
    • https://cdn.shopify.com/s/files/1/0433/0507/4838/files/8918560407.pdf
    • https://cdn.shopify.com/s/files/1/0436/2698/7680/files/remosonakojo.pdf
    • https://cdn.shopify.com/s/files/1/0437/4901/5713/files/spring_boot_hibernate_mysql_example.pdf
    • https://cdn.shopify.com/s/files/1/0428/8865/9100/files/apache_spark_scala_tutorial.pdf
    • https://cdn.shopify.com/s/files/1/0431/7957/3414/files/kobowiputolopapovanuwo.pdf
    • https://cdn.shopify.com/s/files/1/0436/0713/0270/files/fifirudoberimejifo.pdf
    • https://cdn.shopify.com/s/files/1/0434/2897/0647/files/makalah_endometritis.pdf
    • https://cdn.shopify.com/s/files/1/0433/0081/4998/files/ahista_ahista_movie_free.pdf
    • https://cdn.shopify.com/s/files/1/0448/2636/2013/files/gene_polymorphism_definition.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ffcd.bin
ae390ebc2034cc5aea03b8aa600098a19323fa20e6eaecf0430efb829f3b515e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFCD 5000 bytes
font_01_sfnt_off000110dc.bin
8bde95dd672905f63d1b7aaa4be8c8410df2e43aa7a37e0b050b03fa535f2e7e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110DC 11036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.