Malicious PDF — malware analysis report

Static analysis result for SHA-256 df5252c7c423f0e5…

MALICIOUS

PDF

41.6 KB Created: 2020-08-10 09:54:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6e2d4fdfbc39d9490e1f22f570ea9eb4 SHA-1: 58e924fbaa42f5a430201e4b90cf1ef318f41b49 SHA-256: df5252c7c423f0e529100df6983e86acf6bdfa61c280c52e3de349a79251a38a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to `https://ttraff.cc/pify?keyword=new+amplified+bible+pdf`. This URL is presented within the document body, suggesting a social engineering lure to trick the user into clicking it. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many of which point to external PDF files. The primary malicious URL is the most critical IOC.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=new+amplified+bible+pdf
    • http://kojuliz.waianaeassemblyofgod.com/uploads/1/3/0/8/130874493/3587871.pdf
    • http://files.kg-games.com/uploads/1/3/1/4/131437885/3000916.pdf
    • http://files.amores-project.eu/uploads/1/3/1/4/131437064/6cfddcc31a8e.pdf
    • http://roluk.beyondthegameplan.com/uploads/1/3/2/7/132740900/3170887.pdf
    • http://zerod.peabodylearningacademy.com/uploads/1/3/1/6/131637136/revatowanibiw.pdf
    • https://cdn.shopify.com/s/files/1/0430/4168/5665/files/29675773809.pdf
    • https://cdn.shopify.com/s/files/1/0434/0193/7063/files/poxodivupiditigefelo.pdf
    • https://cdn.shopify.com/s/files/1/0436/3947/2288/files/fedowotek.pdf
    • https://cdn.shopify.com/s/files/1/0428/6038/0327/files/ambers_menu_2020.pdf
    • https://cdn.shopify.com/s/files/1/0430/7389/6615/files/37499406895.pdf
    • https://cdn.shopify.com/s/files/1/0440/3481/8198/files/fifuvofaka.pdf
    • https://cdn.shopify.com/s/files/1/0431/8976/4245/files/nesadel.pdf
    • https://cdn.shopify.com/s/files/1/0437/1863/9765/files/56298053091.pdf
    • https://cdn.shopify.com/s/files/1/0429/6497/5765/files/duzivimovezabizij.pdf
    • https://cdn.shopify.com/s/files/1/0430/9070/6599/files/medical_fitness_certificate_for_neet_ug_2020.pdf
    • https://cdn.shopify.com/s/files/1/0437/5104/7329/files/43661856524.pdf
    • https://cdn.shopify.com/s/files/1/0434/6504/8214/files/powerpoint_viewer_2010.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000662f.bin
b0823491fc5e7ffaddba68e3fd3b1c4f04e9cf4270d1b2f722384a207baf1cfe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x662F 5116 bytes
font_01_sfnt_off0000779e.bin
16ff4a4b8e369d9982be707e6b76ad17ff810d3f89c66d88d888669e719d03e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x779E 9932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.