Malicious PDF — malware analysis report

Static analysis result for SHA-256 e86c5d158feb8e4c…

MALICIOUS

PDF

42.2 KB Created: 2020-08-19 14:37:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 53b2406b505d05b4426a8077d819d4bb SHA-1: 3d2b7ef19f2e461aaa6eecb0fe3cc3dea9f23e4a SHA-256: e86c5d158feb8e4cc485a3256a125c198cf4a1c81743d0ad39e613ddade98769
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=free+printable+blank+practice+writing+sheets'. This URL is presented within the document body, disguised as a link to free printable writing sheets. The PDF also exhibits characteristics of a link farm, with numerous external links, many of which point to Shopify domains hosting other PDFs. The primary malicious URL is the most critical IOC, as it serves as the initial point of compromise.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=free+printable+blank+practice+writing+sheets
    • http://files.lobolab.org/uploads/1/3/2/6/132681342/7057054.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/niwaxesajikibulunetegidu.pdf
    • https://cdn.shopify.com/s/files/1/0438/9958/4664/files/d_g_p_full_form.pdf
    • https://cdn.shopify.com/s/files/1/0432/6827/6384/files/behindertenparkplatz_schild.pdf
    • https://cdn.shopify.com/s/files/1/0433/2594/8072/files/reasonable_suspicion_drug_testing_form.pdf
    • https://cdn.shopify.com/s/files/1/0434/8477/4552/files/pujorebawodedugoxaj.pdf
    • https://cdn.shopify.com/s/files/1/0430/1550/4029/files/zowureg.pdf
    • https://cdn.shopify.com/s/files/1/0451/0570/9219/files/biological_wastewater_treatment_principles_modelling_and_design.pdf
    • https://cdn.shopify.com/s/files/1/0429/2454/0071/files/formatting_columns_in_word_2010.pdf
    • https://cdn.shopify.com/s/files/1/0432/5530/0249/files/26360830234.pdf
    • https://cdn.shopify.com/s/files/1/0430/1130/9719/files/13649205714.pdf
    • https://cdn.shopify.com/s/files/1/0439/7596/6878/files/zoxopenawimoxefawuwa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006664.bin
9447ebf0aa8d249d606f6efdb1152739d156a9f558337ce262188d686b58def2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6664 5444 bytes
font_01_sfnt_off000078f1.bin
054fed0dae5fbe8a1fa2b57e7d556c592020c7108ba9da62edcccbd971a23e81		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78F1 10300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.