Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed6737248b725c24…

MALICIOUS

PDF

41.4 KB Created: 2020-08-11 09:41:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 333449060e18eaea894f807f48599cd0 SHA-1: f74343371c7bf3ad9dfae469cd5161284278ff16 SHA-256: ed6737248b725c2413d0fd43e3cfb69707e4d74eb99a2cd0536210b503517ca9
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains text suggesting it is an 'epf withdrawal form', aligning with the 'SE_INVOICE_LURE' heuristic. The primary malicious link, https://ttraff.cc/pify?keyword=epf+withdrawal+form+31+pdf, is likely used to deliver a secondary payload. The presence of numerous links to external PDFs, many hosted on Shopify, suggests a link farm for SEO poisoning or to obscure the final destination.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=epf+withdrawal+form+31+pdf
    • http://files.gentlemaccoaching.com/uploads/1/3/1/4/131454420/kexabi.pdf
    • http://files.learntofencega.com/uploads/1/3/1/8/131872238/tiwotekoxagep_xavewisowivaxem.pdf
    • http://files.afleroux.com/uploads/1/3/1/0/131070291/xaniwu.pdf
    • https://cdn.shopify.com/s/files/1/0438/3513/0018/files/algebra_worksheets_year_7.pdf
    • https://cdn.shopify.com/s/files/1/0429/5829/1093/files/10685173437.pdf
    • https://cdn.shopify.com/s/files/1/0431/6590/9160/files/16053523779.pdf
    • https://cdn.shopify.com/s/files/1/0430/3480/4375/files/riwojixolajojagavugaj.pdf
    • https://cdn.shopify.com/s/files/1/0432/9239/3640/files/shackleton_s_journey_activity_book.pdf
    • https://cdn.shopify.com/s/files/1/0431/5768/4375/files/edward_leedskalnin_magnetic_current.pdf
    • https://cdn.shopify.com/s/files/1/0437/3633/4501/files/reler.pdf
    • https://cdn.shopify.com/s/files/1/0433/7369/1045/files/cdf_in_r.pdf
    • https://cdn.shopify.com/s/files/1/0431/9579/3571/files/fiwisatadigimemam.pdf
    • https://cdn.shopify.com/s/files/1/0433/4272/5275/files/61792819311.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006428.bin
cc4d07c4f3af57dc0f6a196e2fb8c55abd385bf53d859e6c71dc16f6de22ce6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6428 5368 bytes
font_01_sfnt_off00007662.bin
a45a57d25b5362c6b4bd63186414a2361f7fcef99401f74259eaf41c151ac713		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7662 10244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.