Malicious PDF — malware analysis report

Static analysis result for SHA-256 da5d010dc5068d4e…

MALICIOUS

PDF

43.0 KB Created: 2020-09-04 15:42:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fef721dffdb9ff7807b30bd376c80951 SHA-1: df1572d9e46610776f26307b0e9b525eb08e9f73 SHA-256: da5d010dc5068d4e819ea06d705db41f4a8b6fe3cc5e8a7d72ba5f1619e583b7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass of external links, with one specifically pointing to a known malicious redirector. The embedded URL 'https://ttraff.me/pify?keyword=editing+worksheet+with+answers' is the primary indicator of malicious intent. This suggests a phishing or malware distribution campaign leveraging a link farm to obscure the final destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=editing+worksheet+with+answers
    • https://static.usrfiles.com/ugd/40b9e6_8ee6f128756e4872b0b929b0ccfffaf4.pdf
    • https://static.usrfiles.com/ugd/911c12_b45b2c9e01404383a567f98263ee2f2c.pdf
    • https://static.usrfiles.com/ugd/9757e7_8862365e31694761ac66dfeaec269b94.pdf
    • https://static.usrfiles.com/ugd/a107db_655878e8df7f492ba9a0518369727e4f.pdf
    • https://cdn.shopify.com/s/files/1/0434/6085/3912/files/vanudujebuxevale.pdf
    • https://cdn.shopify.com/s/files/1/0429/1638/0831/files/gexudimoserifelokusopokib.pdf
    • https://cdn.shopify.com/s/files/1/0435/0741/7253/files/kimapokibajajipojamulefi.pdf
    • https://cdn.shopify.com/s/files/1/0433/7077/4679/files/descriptive_case_study.pdf
    • https://static.usrfiles.com/ugd/6116da_ea7d253c6efc4eb7afa032e22346c8d0.pdf
    • https://static.usrfiles.com/ugd/12f4eb_a2e8784c3dbb48a68d15fbb9161606da.pdf
    • https://static.usrfiles.com/ugd/3eed2b_190a1f6e5fd9421caf52cd2577af459c.pdf
    • https://static.usrfiles.com/ugd/6c98bc_709d7705a7e641ce8fdf20f009c33a6e.pdf
    • https://static.usrfiles.com/ugd/b4f0c6_509fee88b19e4acf84f9ae74d592ed4d.pdf
    • https://cdn.shopify.com/s/files/1/0429/3902/3526/files/tisag.pdf
    • https://cdn.shopify.com/s/files/1/0431/3861/3399/files/61937241079.pdf
    • https://cdn.shopify.com/s/files/1/0433/4957/3784/files/watutifosazenugevevoluzo.pdf
    • https://cdn.shopify.com/s/files/1/0433/5285/0586/files/jasogabonenabasiz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000693c.bin
72565d6011d5d1a6c62c2cb950ba0a0f22c6f312bdf1dd6d67e8e0d3d02d77f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x693C 5168 bytes
font_01_sfnt_off00007ae4.bin
09ab64777c6ef96e5848c61866c6fe7f4fc9c46dc68e27c1a570a975cabe6ff1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AE4 10696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.