Malicious PDF — malware analysis report

Static analysis result for SHA-256 e22783b3d64e98af…

MALICIOUS

PDF

31.8 KB Created: 2020-09-18 04:09:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 77a83c510351a401c23f6e2f52db5073 SHA-1: fd2fe27d645ffb907965890bb72858a29c336b7a SHA-256: e22783b3d64e98af31a5d611364f469dac4e5e1dfb4d93327f788103756cafbb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with at least one identified as a malicious redirector. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' and 'PDF_SEO_LINK_FARM' strongly indicate that this document is designed to lure users to malicious sites. The document body contains garbled text but includes the suspicious URL https://ttraff.me/wix?keyword=apas+report+umn, reinforcing the malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=apas+report+umn
    • http://files.intellectualgroomers.com/uploads/1/3/1/3/131384171/4cb63d0c2dbbb12.pdf
    • http://riziga.lovelocalnashville.com/uploads/1/3/0/9/130969018/3365685.pdf
    • http://rerut.traceyknapp.com/uploads/1/3/0/7/130776132/6182988.pdf
    • http://files.kemiesho.com/uploads/1/3/0/7/130739747/30e9f44af7.pdf
    • https://cdn.shopify.com/s/files/1/0432/6775/2099/files/dark_wraith_of_shannara.pdf
    • https://3b1bf5e9-30c1-458c-9e87-075e0ca6d315.filesusr.com/ugd/2ac701_de3dcb95448e46629a5a0dda547126f7.pdf?index=true
    • https://9b7201cf-15d1-4199-9e4e-bd0875e64094.filesusr.com/ugd/f6a907_e5bc1ed763fe4becb4ee1a15000e9f91.pdf?index=true
    • https://bd7294e4-bea2-4f2d-ac36-7c02b271b8d8.filesusr.com/ugd/9c66ff_b7eb790725aa437eb6ebdfea27c80cd6.pdf?index=true
    • https://2afee5fd-0686-4759-9589-5385b18fe58e.filesusr.com/ugd/3c8574_b283a0040a374f0ca4ceb7b8714de016.pdf?index=true
    • https://dc13e3d2-2fb3-487c-8bd1-e532b2024877.filesusr.com/ugd/64f9d2_6071c259f48f4865849f89bd395ec305.pdf?index=true
    • https://d834be7b-a886-4d78-9f71-12d9b1dd83d9.filesusr.com/ugd/2994dd_c9ab5a3b85b648c680441dfe351e0157.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004273.bin
dcb9d7a79ecd6500d5ae310b6e210d3aa5a09da39f8632212ad1c94eb1d1f5aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4273 4920 bytes
font_01_sfnt_off00005319.bin
f5e0e272627e8eb9d1c3105fa69ba504203d594f4ca64a14a40ef3ba695d4b57		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5319 9448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.