Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9f56519c93ed5a7…

MALICIOUS

PDF

41.5 KB Created: 2020-08-09 22:47:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3c408a3f85a28368f8c3b68db94a34eb SHA-1: dafd652ccf53b1038d040ec13656232afd274a94 SHA-256: d9f56519c93ed5a78cfe4f06f27b017952d49aff9d3e6ecfa07fc82726fbc3f0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, with a critical heuristic firing indicating it is a link farm designed to redirect users. One of the primary links, 'https://ttraff.cc/pify?keyword=clinical+services+capability+framework+pdf', points to known malicious redirector infrastructure. The document body itself is heavily obfuscated and contains metadata suggesting it was generated by wkhtmltopdf, a tool often used to create documents for SEO manipulation or to host malicious links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=clinical+services+capability+framework+pdf
    • http://files.newcovenantsd.com/uploads/1/3/1/3/131383323/xoduxo.pdf
    • http://ladar.cottagegrovechamber.com/uploads/1/3/2/8/132816066/jupuviligugoj_tisafema_linuveripi_bobevanu.pdf
    • http://files.inclusiveplaygrounds.net/uploads/1/3/1/6/131606392/puxaxasuj-kumomibozaza-xidazo.pdf
    • https://cdn.shopify.com/s/files/1/0431/6830/1212/files/muwemomobegedove.pdf
    • https://cdn.shopify.com/s/files/1/0429/7824/6815/files/jiwinikivaf.pdf
    • https://cdn.shopify.com/s/files/1/0435/9582/5320/files/86983666914.pdf
    • https://cdn.shopify.com/s/files/1/0434/6914/4230/files/25916686971.pdf
    • https://cdn.shopify.com/s/files/1/0430/1760/1181/files/ledugizetore.pdf
    • https://cdn.shopify.com/s/files/1/0431/1898/5370/files/bsc4success_mcq.pdf
    • https://cdn.shopify.com/s/files/1/0431/0158/5569/files/ms_excel_2020_notes.pdf
    • https://cdn.shopify.com/s/files/1/0430/9381/9541/files/totato.pdf
    • https://cdn.shopify.com/s/files/1/0430/4420/8797/files/97772791067.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064f1.bin
2ced80038f54d5ac14c87edd673bcd2851e7d505f069575ab6ef120dac513b35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64F1 5664 bytes
font_01_sfnt_off00007837.bin
f73f3981c62141299b7422dd93328320cd247a184aa814f88328aed7d244c6a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7837 9684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.