Malicious PDF — malware analysis report

Static analysis result for SHA-256 ddc08b11f36dd064…

MALICIOUS

PDF

43.2 KB Created: 2020-08-06 22:40:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c872dac96719c1162ee483a19b193b4 SHA-1: ed665dd65dc0547ca5309c28de53eda8ee55b3bf SHA-256: ddc08b11f36dd064d739ebbe6089659e829f644c199b8340a9f6c38d702d3eaf
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to external resources. One critical heuristic firing indicates that the PDF links to known malicious redirector infrastructure, specifically 'https://ttraff.com/pify?keyword=zerodha+varsity+module+1+pdf'. This suggests the document is designed to redirect users to malicious sites under the guise of providing PDF documents. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=zerodha+varsity+module+1+pdf
    • http://files.paintingbyme.com/uploads/1/3/1/4/131406258/c1fa8.pdf
    • http://xelojo.w-mreferendum2019.org/uploads/1/3/0/9/130969061/57fa681cd1.pdf
    • http://files.cookiecreationsbysteph.com/uploads/1/3/0/9/130970004/c40dced48cd0.pdf
    • http://files.trancityevent.com/uploads/1/3/0/8/130813827/2486258.pdf
    • https://cdn.shopify.com/s/files/1/0430/8697/1029/files/carte_d_invitation_mariage.pdf
    • https://cdn.shopify.com/s/files/1/0430/4135/7973/files/beef_biryani_recipe.pdf
    • https://cdn.shopify.com/s/files/1/0430/5915/1009/files/xudavuzevetozoseb.pdf
    • https://cdn.shopify.com/s/files/1/0431/2802/9345/files/77355080751.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/84113106953.pdf
    • https://cdn.shopify.com/s/files/1/0427/8360/4903/files/adelaide_botanic_gardens_map.pdf
    • https://cdn.shopify.com/s/files/1/0437/9013/9549/files/nerosuwozudi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/94323725826.pdf
    • https://cdn.shopify.com/s/files/1/0431/0132/3420/files/tixevijibazemasotijepizog.pdf
    • https://cdn.shopify.com/s/files/1/0431/9445/0078/files/29444788106.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xiguxalenagidofivixonagez.pdf
    • https://cdn.shopify.com/s/files/1/0437/1880/3607/files/sevizujivubatot.pdf
    • https://cdn.shopify.com/s/files/1/0435/2317/8656/files/amendments_worksheet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b62.bin
93ec15b2bf6300c870cf7f65baa34c5d88fad3b5bc512a81b866460e0ab796b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B62 5452 bytes
font_01_sfnt_off00007dd8.bin
8cab054d77d8d6ab8e1d48abe14fc34007721a0aa3772e725550cee6e41bff3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DD8 9900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.