Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6cc88bed8c077dd…

MALICIOUS

PDF

43.5 KB Created: 2020-08-15 07:38:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4cc7ccec03db055a6f4245c335482d4a SHA-1: 77d191603292a027b90fd9f1bbda394b1f4c5647 SHA-256: e6cc88bed8c077ddec836260e7531dcbb9b99cd21676733b576e1016b84e6763
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with a critical heuristic identifying a link to a known malicious redirector at 'https://ttraff.com/pify?keyword=complex+fractions+worksheet'. The document body, though partially corrupted, suggests a lure related to 'Complex fractions worksheet'. The presence of a link farm heuristic further indicates an attempt to distribute content or traffic through numerous external links, with a significant number pointing to Shopify domains. The primary attack vector appears to be directing users to malicious infrastructure via embedded links within the PDF.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=complex+fractions+worksheet
    • http://files.puristaromas.com/uploads/1/3/0/9/130969505/nexero.pdf
    • https://cdn.shopify.com/s/files/1/0428/5235/2159/files/29738719774.pdf
    • https://cdn.shopify.com/s/files/1/0434/1478/2103/files/wokadisobuziba.pdf
    • https://cdn.shopify.com/s/files/1/0434/6871/8233/files/68797715342.pdf
    • https://cdn.shopify.com/s/files/1/0429/3056/9382/files/vajewaza.pdf
    • https://cdn.shopify.com/s/files/1/0428/0470/7491/files/junimomekudefu.pdf
    • https://cdn.shopify.com/s/files/1/0432/0319/9138/files/adobe_premiere_tutorials_in_tamil.pdf
    • https://cdn.shopify.com/s/files/1/0432/7673/0533/files/pizazotekezi.pdf
    • https://cdn.shopify.com/s/files/1/0435/9749/6477/files/worldwide_airport_codes.pdf
    • https://cdn.shopify.com/s/files/1/0431/2442/4853/files/3271502434.pdf
    • https://cdn.shopify.com/s/files/1/0437/9849/5389/files/agility_ladder_drills_soccer.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c3f.bin
0d203ee4fd88d703769e6e809cd15660c1a1fbcd4db8829f674738764b479a5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C3F 5384 bytes
font_01_sfnt_off00006e6b.bin
58b4873d33ac9fffaf45ed1a2312b8eb5fadf3b067e77f8cfe9e87095f6a7717		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E6B 6068 bytes
font_02_sfnt_off00007e1c.bin
8179cb5cfc663564ea07bedc57d16ee13f99dd80f049dc6d1c68ce180ab5cecd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E1C 10360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.