Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6ae35d3a91d6f5c…

MALICIOUS

PDF

46.8 KB Created: 2020-08-23 05:45:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8bb98e2a4b3cd6eb796c55f9659365c9 SHA-1: b57aabcb2781901f7363a64a952859519155ab4d SHA-256: e6ae35d3a91d6f5cb8fa6f8846b910c3e5c9a7bacf4258312f11fbdaf502a43b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.001 Malicious Link

The PDF document contains embedded links that are identified as malicious redirectors. The document body, though partially corrupted, suggests a lure related to a 'Medicare levy exemption form 2017'. The primary malicious link, https://ttraff.cc/pify?keyword=medicare+levy+exemption+form+2017, is a known redirector. The presence of numerous other PDF links, many hosted on Shopify, indicates a link farm strategy to obscure the final destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=medicare+levy+exemption+form+2017
    • http://vejex.livelively.co.nz/uploads/1/3/1/3/131379698/jorinofogetikab_fafapagexalupe_demusugurebu.pdf
    • http://files.lifestylefaceandbodycare.co.uk/uploads/1/3/1/3/131383954/xowepesimisewiz.pdf
    • https://cdn.shopify.com/s/files/1/0429/1887/1207/files/92436441225.pdf
    • https://cdn.shopify.com/s/files/1/0428/9930/8700/files/agonistas_colinrgicos.pdf
    • https://cdn.shopify.com/s/files/1/0431/3346/8821/files/9104685114.pdf
    • https://cdn.shopify.com/s/files/1/0428/3373/9932/files/29524058219.pdf
    • https://cdn.shopify.com/s/files/1/0428/5107/4204/files/19072211712.pdf
    • https://cdn.shopify.com/s/files/1/0432/7168/4252/files/25878146597.pdf
    • https://cdn.shopify.com/s/files/1/0434/0416/5285/files/cervicofacial_flap.pdf
    • https://cdn.shopify.com/s/files/1/0431/4241/4493/files/xepozozofowa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007758.bin
e00c65a9b9295f908aed669a904eeef0628ac347d5127fe88ace09a9c72f8cb4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7758 5764 bytes
font_01_sfnt_off00008b09.bin
98697c49e951d7a4fee263ee4f34e750bf771eec381005a87779a532ae48bc01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B09 10420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.