Malicious PDF — malware analysis report

Static analysis result for SHA-256 deee68ef27db5f93…

MALICIOUS

PDF

50.9 KB Created: 2020-08-06 20:59:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 66964902312734b637a4d46cd44e5432 SHA-1: 77a5db9b35d3ccbc21bf81845649c551f03de06d SHA-256: deee68ef27db5f930a0cdad673d6b94d8d71e53794a0059491602d128fbf794f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one specifically identified as a malicious redirector pointing to 'https://ttraff.cc/pify?keyword=arabic+letters+and+words+pdf'. This suggests a phishing or scam attempt, likely aiming to redirect the user to a malicious site. The presence of a link farm further supports this, as it's a common tactic for SEO poisoning or distributing malicious content. No scripts were extracted, limiting the analysis of direct execution capabilities.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=arabic+letters+and+words+pdf
    • http://rubig.justkiddingtheatrecompanyinc.org/uploads/1/3/0/7/130738799/goliru_sakeko_nejofezelu.pdf
    • http://files.bernhardjowolf.de/uploads/1/3/1/4/131406563/48d8a71114b47c6.pdf
    • http://netofi.eskrimacombativesfmaie.com/uploads/1/3/2/6/132681026/fibojofiximon.pdf
    • http://arabicquick.com/content/uploads/2016/02/
    • https://cdn.shopify.com/s/files/1/0430/4109/5834/files/kamamirakunugelaginepuwex.pdf
    • https://cdn.shopify.com/s/files/1/0440/6001/6790/files/9_11_pentagon_video.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/36103472339.pdf
    • https://cdn.shopify.com/s/files/1/0437/7185/5002/files/final_fantasy_xv_strategy_guide.pdf
    • https://cdn.shopify.com/s/files/1/0432/1997/6350/files/73855670869.pdf
    • https://cdn.shopify.com/s/files/1/0435/9471/1203/files/36908565658.pdf
    • https://cdn.shopify.com/s/files/1/0434/8336/5528/files/9558477660.pdf
    • https://cdn.shopify.com/s/files/1/0433/3237/0584/files/74616716177.pdf
    • https://cdn.shopify.com/s/files/1/0436/5346/4214/files/15197734028.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000a005.bin
4939d25979ea1390f4b9a4c653bc8f89eae35be3e3f0c04bb9fde5b6670bb807		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA005 19608 bytes
font_00_sfnt_off000061d8.bin
849ca59160672864ddde31626d536fcf36ce15c5247130f8a3939295c1730189		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61D8 5372 bytes
font_01_sfnt_off00007432.bin
e3727662d7249593a3b6d0b483c760420c8fc754bc9c8e3e6bb782f4f7b1e7ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7432 13768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.