Malicious PDF — malware analysis report

Static analysis result for SHA-256 df2ef11a6f8346af…

MALICIOUS

PDF

60.4 KB Created: 2020-09-10 03:16:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3f147ff64c01563d1da397df8862359e SHA-1: 8b7aa4ffae34a341ff7c420c142dcb688178a8a6 SHA-256: df2ef11a6f8346af0256ea3356c2794c0b4794bd391c237c587cf3e997e95801
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a mass of external links, including a known malicious redirector. The document body text, though heavily obfuscated, contains the URL "https://ttraff.link/wix?keyword=advanced+higher+maths+equation+sheet", which is likely intended to lure the user into clicking through to a malicious site. The presence of numerous other PDF links suggests a link farm or SEO poisoning tactic to distribute the malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=advanced+higher+maths+equation+sheet
    • https://cdn.shopify.com/s/files/1/0431/5866/7430/files/cbse_class_6_civics_chapter_2_worksheets.pdf
    • https://cdn.shopify.com/s/files/1/0438/8365/9419/files/bsc_nursing_online_form_fill_up.pdf
    • https://cdn.shopify.com/s/files/1/0428/8669/3023/files/action_box_v2_software.pdf
    • https://cdn.shopify.com/s/files/1/0431/5470/2496/files/niruxixezalojexetosafa.pdf
    • https://cdn.shopify.com/s/files/1/0431/1639/6697/files/address_labels_template_avery.pdf
    • https://static.usrfiles.com/ugd/c1c462_6b7053bf3e5e441cac23cccdf80605a8.pdf
    • https://static.usrfiles.com/ugd/a1fb72_38c75e53a09a4e79a8e06dd7d129e58b.pdf
    • https://static.usrfiles.com/ugd/eb6612_00841f19e8004560a50c32ed26597807.pdf
    • https://cdn.shopify.com/s/files/1/0433/4636/2533/files/kudekuwovopi.pdf
    • https://cdn.shopify.com/s/files/1/0432/4202/9215/files/aranyak_story.pdf
    • https://cdn.shopify.com/s/files/1/0434/4607/5542/files/florida_keys_map_with_mile_markers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009291.bin
68eaf88efb2dc3c3b4d188ed56bafbc50cb0adfff8594a9d2a8e0cf4274942bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9291 5496 bytes
font_01_sfnt_off0000a50b.bin
974b14b83cf31d3286cd6caa99679434fd9bd1c0214f29b0f9aa10a7049aa128		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA50B 6044 bytes
font_02_sfnt_off0000b4a9.bin
401003c8cce34861b557a1c823322372a3f6de5138ae05831efb35ef2129dfda		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB4A9 15564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.