Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef73379a171c2029…

MALICIOUS

PDF

44.9 KB Created: 2020-08-12 01:17:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8b004d0ea605a4588583ec65b551d6bf SHA-1: e12eb6b0e2ed5dd0491708bf65ee3b3fd35c63cd SHA-256: ef73379a171c202984bd258872e24d3b2d27b80277d80ec34d92001e807bd45b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.com, disguised with the text "self certification pdf". This indicates a phishing or social engineering attempt to redirect the user to malicious content. The file also contains a large number of external PDF links, many hosted on Shopify, suggesting a link farm or SEO poisoning tactic to improve search engine ranking for malicious content. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=self+certification+pdf
    • http://files.katiehallarttherapy.com/uploads/1/3/0/9/130969509/4bf36f8e5fbe4ca.pdf
    • http://files.gardenspotrentals.net/uploads/1/3/2/6/132681938/finefenusavat.pdf
    • http://kebinel.downtoearth-solutions.com/uploads/1/3/1/6/131606577/8699272.pdf
    • https://cdn.shopify.com/s/files/1/0432/0703/2990/files/11829661985.pdf
    • https://cdn.shopify.com/s/files/1/0434/4184/8470/files/3d_in_powerpoint.pdf
    • https://cdn.shopify.com/s/files/1/0432/1404/5341/files/61246450162.pdf
    • https://cdn.shopify.com/s/files/1/0430/8343/2096/files/dragon_age_arcane_warrior_build.pdf
    • https://cdn.shopify.com/s/files/1/0435/5863/3627/files/19503926103.pdf
    • https://cdn.shopify.com/s/files/1/0438/2566/0066/files/nine_point_circle_proof.pdf
    • https://cdn.shopify.com/s/files/1/0434/3113/3340/files/cake_by_the_ocean_guitar_tab.pdf
    • https://cdn.shopify.com/s/files/1/0428/3580/4319/files/50521384831.pdf
    • https://cdn.shopify.com/s/files/1/0429/4826/4089/files/95234903130.pdf
    • https://cdn.shopify.com/s/files/1/0428/5209/0022/files/kumigifarazotamolifeg.pdf
    • https://cdn.shopify.com/s/files/1/0432/2807/0052/files/90600876818.pdf
    • https://cdn.shopify.com/s/files/1/0434/3899/7665/files/85122478201.pdf
    • https://cdn.shopify.com/s/files/1/0429/3056/9382/files/95268278841.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007376.bin
ae5630e0884773956cee7e35f580ed170d1b5ddafe41c4937b160394e7be6906		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7376 5072 bytes
font_01_sfnt_off000084b8.bin
345bf5cc91244e904b90b080b729db19cbf127bc25a3533f9938228f41344fd6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84B8 10076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.