Malicious PDF — malware analysis report

Static analysis result for SHA-256 dfa61cdcbb9f457b…

MALICIOUS

PDF

51.6 KB Created: 2020-08-04 09:10:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6601f23df9ad33f8e538db53109f2c97 SHA-1: 3325dbceb02f20b3ce419cf4e0296df5e48f6e60 SHA-256: dfa61cdcbb9f457bf53225b6fdf7cf4dfd1876f73361cc16b804ca03d03412c2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to appear as search results for academic material, but redirects to a malicious URL. The primary malicious URL is ttraff.cc, which is flagged as a malicious redirector. The document body is heavily obfuscated but contains the malicious URL and appears to be generated by wkhtmltopdf.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=name+reactions+in+organic+chemistry+pdf
    • http://files.matakanacommunitygroup.online/uploads/1/3/2/8/132814241/10e828.pdf
    • http://files.yodopay.com/uploads/1/3/2/3/132303248/1602960.pdf
    • http://files.sharongollan.co.uk/uploads/1/3/0/8/130874124/4da2656.pdf
    • http://files.christchurchbabylon.org/uploads/1/3/1/6/131636903/pabiruk_tojexif.pdf
    • https://cdn.shopify.com/s/files/1/0433/6081/3208/files/89970536773.pdf
    • https://cdn.shopify.com/s/files/1/0428/7237/3414/files/mepoxegimorij.pdf
    • https://cdn.shopify.com/s/files/1/0431/6495/8879/files/14144696305.pdf
    • https://cdn.shopify.com/s/files/1/0436/4566/5433/files/20001869202.pdf
    • https://cdn.shopify.com/s/files/1/0445/3846/2372/files/at_t_premier.pdf
    • https://cdn.shopify.com/s/files/1/0433/6618/7176/files/52668486261.pdf
    • https://cdn.shopify.com/s/files/1/0438/3621/1362/files/vmware_workstation_crack.pdf
    • https://cdn.shopify.com/s/files/1/0428/7230/7875/files/wazalefiwebaragomowijeniz.pdf
    • https://cdn.shopify.com/s/files/1/0434/1507/7022/files/redfield_revolution_2-_7x33.pdf
    • https://cdn.shopify.com/s/files/1/0432/6280/4136/files/47252415510.pdf
    • https://cdn.shopify.com/s/files/1/0434/7949/8918/files/duvoluwax.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/20011772627.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/file

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000764d.bin
32357d507ea66dcbb72c716423ce7398add71e752a41b2830ef2ab1e677bd99f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x764D 5396 bytes
font_01_sfnt_off0000887c.bin
656135409904ae05fd8eb794b69ff93b636b68011fa06982abe8f821b42c0401		 pdf-font-stream PDF embedded font (sfnt) at offset 0x887C 13420 bytes
font_02_sfnt_off0000b29e.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB29E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.