Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8e7e3c7fcad42c4…

MALICIOUS

PDF

50.7 KB Created: 2020-08-05 05:03:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7663bc81a4f6aff790b01f606885307b SHA-1: 55563857b877a5d8fee3f4db268ccb8914c6698e SHA-256: d8e7e3c7fcad42c400a9de98e06f05b8c909a08df10bcd3b1326999f85e6cb40
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass external link farm, with a primary malicious redirector link pointing to 'https://ttraff.cc/pify?keyword=concise+paediatrics+pdf+free+download'. This suggests the document is designed to lure users into clicking the link, likely to download further malicious content or be redirected to a phishing site. The document body and embedded links reinforce this lure by mentioning "Concise paediatrics pdf free download".

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=concise+paediatrics+pdf+free+download
    • http://files.ossipeecentralschool.org/uploads/1/3/1/3/131384249/966349.pdf
    • http://files.xzibitstudios.com/uploads/1/3/1/3/131379980/2056237.pdf
    • http://files.allisonattitude.com/uploads/1/3/1/8/131872087/dudobikuluru.pdf
    • https://cdn.shopify.com/s/files/1/0436/0978/4482/files/77709704025.pdf
    • https://cdn.shopify.com/s/files/1/0427/9985/7823/files/11475955396.pdf
    • https://cdn.shopify.com/s/files/1/0441/3492/4440/files/26232553509.pdf
    • https://cdn.shopify.com/s/files/1/0432/4976/2459/files/administrao_de_produo_e_operaes_henrique_l._corra.pdf
    • https://cdn.shopify.com/s/files/1/0436/5438/1721/files/zadakopimowubijusotova.pdf
    • https://cdn.shopify.com/s/files/1/0445/8423/9268/files/search_text_layer.pdf
    • https://cdn.shopify.com/s/files/1/0428/8145/0147/files/dajelagexawaweri.pdf
    • https://cdn.shopify.com/s/files/1/0431/8288/2980/files/veruvolejuxosulazukuga.pdf
    • https://cdn.shopify.com/s/files/1/0429/0831/9903/files/decimal_number_line.pdf
    • https://cdn.shopify.com/s/files/1/0433/1329/9620/files/27225807207.pdf
    • https://cdn.shopify.com/s/files/1/0431/7511/6959/files/dexivaniwapuginewoxixu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00008b7b.bin
129686b3aee7178490784ad70bb84c370aad838ecb3dc1cc896a7fdefc0fa646		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8B7B 26976 bytes
font_00_sfnt_off00005970.bin
16030f14f766ea3946790cbec5efb8ebf8485e2c2820a79ad563aa35ee169e08		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5970 5148 bytes
font_01_sfnt_off00006b11.bin
a80935eab46a666d53691351d6c366f4537a36e9dade9342e3a3b8a5b7ff4e45		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B11 9440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.