Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5546a7614b592e3…

MALICIOUS

PDF

38.2 KB Created: 2020-09-16 19:06:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 62d1de95abef1a6da46690df76b788ef SHA-1: d9e7760a753d46a0f1ca0b41ee8740e0c5fcebd1 SHA-256: e5546a7614b592e3abd2aed8a8c441f5daacf3841385dd334100a90d2c6007e7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a link to a known malicious redirector, ttraff.me, disguised as a grammar exercise answer key. This suggests a phishing or social engineering attack aimed at directing users to malicious content. The PDF also contains a large number of links to other PDFs hosted on Shopify and Files.usr.com, likely part of a link farm to improve search engine ranking for malicious content. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=gram%25C3%25A1tica+7.1+reflexive+verbs+answers
    • https://cdn.shopify.com/s/files/1/0432/2885/6477/files/77293811039.pdf
    • https://cdn.shopify.com/s/files/1/0432/5815/1072/files/21192985114.pdf
    • https://cdn.shopify.com/s/files/1/0428/2518/7491/files/irs_conservation_easement_audit_guide.pdf
    • https://a37ef15f-7918-40cb-9986-11f2a5233a57.filesusr.com/ugd/c83fdb_4f5041de3bf24503bf4466edde9fd52d.pdf?index=true
    • https://9400ae49-5fc5-42f7-8f81-1952de9aad70.filesusr.com/ugd/2eff39_8e35495bc8684190a1dd203fbc582449.pdf?index=true
    • https://191ca269-1c9d-4cc7-8d2b-e1ccbe15ba6f.filesusr.com/ugd/f68081_61f7892ab3d349b69033d2fc1e22a833.pdf?index=true
    • https://948c18bd-523a-4cd5-8913-72d560fdf050.filesusr.com/ugd/6f5f23_45e360d5f17c4b2bbd1bba85c9a9aad2.pdf?index=true
    • https://001cbe35-29fe-4245-8fcf-f9a430cdcf04.filesusr.com/ugd/34e21e_1d74693b81074cfb9f0ee922bb448da2.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0441/3220/4696/files/74041620042.pdf
    • https://cdn.shopify.com/s/files/1/0431/0371/5489/files/wolozaletevuj.pdf
    • https://cdn.shopify.com/s/files/1/0435/1701/8267/files/fegowunukozofavuvenevobug.pdf
    • https://29ef7ca9-e4c2-4b13-a1b5-4535ee68a34b.filesusr.com/ugd/18574e_d19d4b5e586b4dbcbbfb55bf63c34aa5.pdf?index=true
    • https://99b05e14-4920-4cf8-aa54-b568fc519b47.filesusr.com/ugd/b81754_fda0f36dac92411cafa6c11eb1e836ec.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000052ee.bin
5e25dcbefc058455242700899b6c91c636bd2cd76d20168beddd5857f8696921		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52EE 5816 bytes
font_01_sfnt_off00006641.bin
e335d661672008b5e40c52646a0f659aa953ed77327c259157cf1197ca68fb1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6641 10688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.