Malicious PDF — malware analysis report

Static analysis result for SHA-256 d791c12faff407bf…

MALICIOUS

PDF

74.1 KB Created: 2020-09-17 20:48:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a554440745489fc3b6755797c1721824 SHA-1: 89be412887cbe8529058b071352fd0e680d86b02 SHA-256: d791c12faff407bfd048b86874cee76952a55d45645e9e940cc2ca1deacc1438
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. The file also exhibits characteristics of a PDF SEO link farm, with numerous embedded links pointing to external PDF files. The presence of urgency lures further supports a phishing or scam attempt. The primary malicious URL identified is https://ttraff.me/wix?keyword=odu+school+of+nursing+portfolio.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=odu+school+of+nursing+portfolio
    • http://files.centraldrivewayswarwick.co.uk/uploads/1/3/0/7/130740180/7590134.pdf
    • http://files.gestaltleadershipcoach.com/uploads/1/3/2/6/132695543/af934c5a0.pdf
    • http://files.stjohnshighlegh.org/uploads/1/3/1/3/131398046/netamelo_viwalalu_pawub_pabaru.pdf
    • http://jabibake.jimsmusic.com/uploads/1/3/2/6/132695384/vitedawiziline.pdf
    • https://4b967737-7187-4107-9ec3-26a379e2adba.filesusr.com/ugd/b41a9a_12b66d47340043c3a36557d04e593968.pdf?index=true
    • https://2042d025-4e1b-4691-a17b-4ea51d9f22f5.filesusr.com/ugd/11b39a_b17f4526a4e44b25bf525dc24666328c.pdf?index=true
    • https://12d89f53-f359-4344-b45c-dd2b306d1533.filesusr.com/ugd/003b86_9324375e3bb945a8b23219ee70c73e0e.pdf?index=true
    • https://7e2fe29f-922b-4dce-b98e-3ee804803212.filesusr.com/ugd/9c66ff_1700c91d6a0c46e8a8ba247370efb85f.pdf?index=true
    • https://d60eb9f4-cc41-4128-ac6c-4e29f547c562.filesusr.com/ugd/ee6770_384a887f98d44b5aa01b1f9bdd6269a5.pdf?index=true
    • https://c1870de6-a8ea-48c9-b8e8-be6c137d9b01.filesusr.com/ugd/f65518_9f5d2005b857495ba225631a36266006.pdf?index=true
    • http://www.odu.edu/nursing
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e4d9.bin
d22abda09ad867d0f38e987396f8bcbcfa4f1db36b1ef5fa20938e2c9919cd10		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE4D9 5232 bytes
font_01_sfnt_off0000f6a7.bin
33f8a1b6a2f9df51e3d94c05083bb16f3aa9a6cb4150d38a5a7ac24175ff5c51		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6A7 10924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.