Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3d1a192a55f74ec…

MALICIOUS

PDF

45.8 KB Created: 2020-08-02 09:19:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3c263947c9a880e0808aaa438a926b6c SHA-1: 7dd242969c46825bc4a18aa165cde236b0a1f610 SHA-256: e3d1a192a55f74ec1cbdde1cbfa9725d7ecdb70c8bacbbc58ea17fc0b9e3950b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with the primary malicious redirector link being https://ttraff.com/pify?keyword=are+banks+closed+on+veterans+day+2016. This indicates a phishing or scam attempt to redirect users to potentially harmful content. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=are+banks+closed+on+veterans+day+2016
    • http://files.laughingdogsacademy.com/uploads/1/3/1/3/131380598/f1d463383c.pdf
    • http://files.godbeyfarms.com/uploads/1/3/2/6/132695455/kiturado-mabuvimos.pdf
    • http://files.civility-project.com/uploads/1/3/1/4/131453682/c18b510fb497.pdf
    • http://files.gercahillibclc.com/uploads/1/3/2/8/132814958/jupubamaxaterisimobi.pdf
    • http://files.seattlefirstbaptist.org/uploads/1/3/2/3/132303080/81e42db7c9176.pdf
    • https://cdn.shopify.com/s/files/1/0435/8491/3565/files/34313624258.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/1261535930.pdf
    • https://cdn.shopify.com/s/files/1/0440/8927/8616/files/windchaser_portable_air_conditioner.pdf
    • https://cdn.shopify.com/s/files/1/0435/5981/3279/files/27101532669.pdf
    • https://cdn.shopify.com/s/files/1/0440/8508/4310/files/sibivaxuxumuwep.pdf
    • https://cdn.shopify.com/s/files/1/0429/5986/3959/files/90089149558.pdf
    • https://cdn.shopify.com/s/files/1/0432/9055/8622/files/84817163372.pdf
    • https://cdn.shopify.com/s/files/1/0430/2677/6227/files/21386812019.pdf
    • https://cdn.shopify.com/s/files/1/0430/3237/9545/files/81421444729.pdf
    • https://cdn.shopify.com/s/files/1/0449/2450/2171/files/bill_of_sale_california.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/pizegavegip.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/dipipopiluniwewikojidil.pdf
    • https://cdn.shopify.com/s/files/1/0433/4115/2421/files/83058939249.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007255.bin
c2a60ce8979bd88a95913d9d9531575b0799086fb3fd669e9fd047944b08b851		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7255 5768 bytes
font_01_sfnt_off00008618.bin
91e2878be98568e77a44fd5c0126e01195160f6a16d9d283d775749478cf8ea9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8618 10532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.