Malicious PDF — malware analysis report

Static analysis result for SHA-256 da39430e1fea9546…

MALICIOUS

PDF

62.7 KB Created: 2020-08-22 03:12:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 871ca937735fe047d7f82d5fd63a31ac SHA-1: 204202bc57946dd2d6672b8a1497ef50f18df6f7 SHA-256: da39430e1fea95466ddf68163845093271cdfb80eacaff4fc996042b5004342b
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=sikar+army+bharti+2019+online+form'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on Shopify. The document body, though partially corrupted, contains text related to 'Sikar army bharti 2019 online form' and the authoring application 'wkhtmltopdf', suggesting a lure to a fake recruitment portal. The presence of multiple benign Shopify links alongside the malicious one indicates a potential attempt to blend malicious content with legitimate resources.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=sikar+army+bharti+2019+online+form
    • http://files.wightmantennis.org/uploads/1/3/1/3/131383823/5cc153d.pdf
    • http://files.matthewhavertz.com/uploads/1/3/0/7/130776239/54d36c1b885.pdf
    • http://files.burrardcivicmarinaca.org/uploads/1/3/1/4/131437649/tasavikop-vexujawe.pdf
    • http://files.platypire.com/uploads/1/3/1/3/131381078/ditinedujoraja-gavugilar-zonoxobem.pdf
    • http://files.karenchickfineart.com/uploads/1/3/1/3/131378780/a6f9d0a3.pdf
    • https://cdn.shopify.com/s/files/1/0429/6241/9863/files/99515729877.pdf
    • https://cdn.shopify.com/s/files/1/0430/9961/9492/files/gadugigipi.pdf
    • https://cdn.shopify.com/s/files/1/0432/7941/7504/files/16046964034.pdf
    • https://cdn.shopify.com/s/files/1/0437/7280/5277/files/97452467693.pdf
    • https://cdn.shopify.com/s/files/1/0438/5066/2053/files/tofuworolafefotuxepi.pdf
    • https://cdn.shopify.com/s/files/1/0436/3350/8512/files/napetoledojovelob.pdf
    • https://cdn.shopify.com/s/files/1/0434/5511/9512/files/41568438059.pdf
    • https://cdn.shopify.com/s/files/1/0433/5108/1118/files/culture_media_for_food_microbiology.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/9142282406.pdf
    • https://cdn.shopify.com/s/files/1/0431/1983/7346/files/gabewokixafekezatolunesi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000089e8.bin
9f3ea31c878963a8ad1c13d1302d44ac5303937008c16117bcf1eef07df69bed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89E8 5720 bytes
font_01_sfnt_off00009d4d.bin
b91f3c26f37c28538ed09035cbea6f9221827f1e30b50c452f08cc820bcc167b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D4D 3720 bytes
font_02_sfnt_off0000a8b0.bin
824e833a0050274447729223cc9d4055e2f073d05fd08643da5fe12bb6a1ba49		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA8B0 10596 bytes
font_03_sfnt_off0000cc87.bin
d5b48a505cec4c02a063cc6241c6bb14a6346032c4cf88424ef00f37b4832222		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC87 10268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.