Malicious PDF — malware analysis report

Static analysis result for SHA-256 f0475b20fde0062e…

MALICIOUS

PDF

43.9 KB Created: 2020-09-02 12:10:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7c5f445b87cc74b2016101563f23baea SHA-1: 811087331dc48e1ed82cd908c0d5e909bcd6c828 SHA-256: f0475b20fde0062ef605803dcc9df8fb9a9a6ad485e9f75f1ad419f3d3ca6005
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=definition+of+design+and+technology+pdf'. This indicates the document's primary purpose is to lure the user to a potentially harmful external site. The PDF also contains a mass external PDF link farm, further supporting the malicious redirection intent. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=definition+of+design+and+technology+pdf
    • https://cdn.shopify.com/s/files/1/0435/7370/6913/files/cations_are_formed_by_brainly.pdf
    • https://cdn.shopify.com/s/files/1/0434/1796/0604/files/pifazexogugozelowize.pdf
    • https://cdn.shopify.com/s/files/1/0434/8579/0358/files/hiring_template_free.pdf
    • https://cdn.shopify.com/s/files/1/0433/0032/3486/files/83135644127.pdf
    • https://static.usrfiles.com/ugd/63d3ad_85a2f99a0d8341cfb51e62fb6100e07c.pdf
    • https://static.usrfiles.com/ugd/98e298_07c2770844fd4766aca561ce37e46b9a.pdf
    • https://static.usrfiles.com/ugd/b8c837_a68c19e79ac14cc0a1bd0bc883cb7970.pdf
    • https://static.usrfiles.com/ugd/e745be_dfc77d16d06741749ebc6f324c6f296c.pdf
    • https://static.usrfiles.com/ugd/6dcf04_b9a6b90ef65c4feaae84581c48212b4d.pdf
    • https://static.usrfiles.com/ugd/0dd040_260ebdc547504186aee3a3dbcac3d5ff.pdf
    • https://static.usrfiles.com/ugd/b8c837_3c29623315d34921a674195d9875160d.pdf
    • https://static.usrfiles.com/ugd/7ff653_1d97678a4a474248aa8d077df6c335cc.pdf
    • https://static.usrfiles.com/ugd/c1de29_cdc85ee37dae4f02bdaf38eb01c7bdfd.pdf
    • https://cdn.shopify.com/s/files/1/0431/7003/7917/files/visogijanobenutasimu.pdf
    • https://cdn.shopify.com/s/files/1/0433/4705/0661/files/rupagax.pdf
    • https://cdn.shopify.com/s/files/1/0432/6051/0376/files/55342710752.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://static.usrfiles.com/ugd/e745be_d

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b75.bin
2930ce3ace574f24f4893e78290d23f6bc4a1c4b91d8b8aefb4323ccf7350653		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B75 5424 bytes
font_01_sfnt_off00007dfd.bin
eec795ba25eaaecda0a0572e04e4a229cf9b63cea314e2de27eff8faf4e36573		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DFD 10128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.