Malicious PDF — malware analysis report

Static analysis result for SHA-256 e355f5606d377b65…

MALICIOUS

PDF

42.8 KB Created: 2020-08-11 17:12:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8d438b97c7e4aafa05361a9ad39d15fc SHA-1: 769d77bf17b0a0bed7d430a6ee5de40ae8a2a4f1 SHA-256: e355f5606d377b65cab5e1183aa92880b46ad1bf5c2a21d2247b4237aa596c9a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector. The primary malicious URL, 'https://ttraff.cc/wb?keyword=bank%20of%20maharashtra%20closed%20branches%20list%20pdf', is designed to lure users with a seemingly relevant search query. The document body, though heavily obfuscated, also contains this URL, reinforcing the malicious intent. The presence of a link farm suggests an attempt to manipulate search engine results or distribute malicious content broadly.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=bank%20of%20maharashtra%20closed%20branches%20list%20pdf
    • http://files.waveloopart.com/uploads/1/3/2/7/132740343/883d0.pdf
    • http://files.clarevet.com/uploads/1/3/0/7/130738814/6baf8b64a8319.pdf
    • http://bimusumal.stjosephschooltrenton.com/uploads/1/3/1/6/131636948/3ea883549aea7.pdf
    • https://cdn.shopify.com/s/files/1/0427/9681/0396/files/kuzefebuxutasef.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/84860081798.pdf
    • https://cdn.shopify.com/s/files/1/0437/1880/3610/files/lewejezogide.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/63529720688.pdf
    • https://cdn.shopify.com/s/files/1/0435/2871/6440/files/44831593844.pdf
    • https://cdn.shopify.com/s/files/1/0434/5777/3725/files/dejikenuloxuburuzediwuku.pdf
    • https://cdn.shopify.com/s/files/1/0428/5333/5207/files/asvab_mathematics_knowledge_practice_test.pdf
    • https://cdn.shopify.com/s/files/1/0433/8581/5205/files/hakke_lyudmila-_d_review.pdf
    • https://cdn.shopify.com/s/files/1/0433/5570/1398/files/59175210549.pdf
    • https://cdn.shopify.com/s/files/1/0434/4381/4560/files/watufuk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005bf1.bin
4a99de77cc1467c42410b1e3e6841786512a60f9af5d7635e2709f8e51ba926c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BF1 5436 bytes
font_01_sfnt_off00006e2f.bin
8f22992c1cdc5b062802426eca6e5e45d889b01d663aa3c2a7562ece33ecfb8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E2F 9852 bytes
font_02_sfnt_off00008ff2.bin
781b9fae2fb9201b4a05d2041fea553bb2973f1d011ab9c51e3326c72e342c60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8FF2 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.