Malicious PDF — malware analysis report

Static analysis result for SHA-256 f0a1857321fdc045…

MALICIOUS

PDF

43.8 KB Created: 2020-09-01 07:42:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 706e7fda595a9c8b0126e768ff43b39e SHA-1: 8bc46ed6c02ac1064b742d705f98632be141392e SHA-256: f0a1857321fdc0456ff1d11980adba1edc45c834e5cf49cc082d037016b917a2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic indicating it's a malicious redirector link, pointing to 'https://ttraff.com/pify?keyword=2020+calendar+template+word+portrait'. This URL is designed to lure users by referencing a '2020 calendar template word portrait'. The file also contains a large number of external PDF links, suggesting a link farm or SEO poisoning tactic. No scripts were extracted, but the primary malicious intent appears to be redirection to a potentially harmful site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=2020+calendar+template+word+portrait
    • https://cdn.shopify.com/s/files/1/0429/8552/1311/files/definicion_de_chakra.pdf
    • https://cdn.shopify.com/s/files/1/0432/5172/8546/files/24194912882.pdf
    • https://cdn.shopify.com/s/files/1/0436/9963/4326/files/46229861107.pdf
    • https://cdn.shopify.com/s/files/1/0433/0618/8955/files/28465081381.pdf
    • https://cdn.shopify.com/s/files/1/0440/9311/2472/files/hermes_asset_management_annual_report.pdf
    • https://cdn.shopify.com/s/files/1/0429/3361/6803/files/business_english_books_for_beginners.pdf
    • https://cdn.shopify.com/s/files/1/0440/7066/6390/files/jivupavamadubuzebadikaf.pdf
    • https://static.usrfiles.com/ugd/4b874d_00e115f2c35a48ccbb03d5dfd74ccdaf.pdf
    • https://static.usrfiles.com/ugd/b8c837_c97a82544fe94d92bc39cdba9a0d821c.pdf
    • https://static.usrfiles.com/ugd/739437_c4ff862bd1374a37a3446b146924188d.pdf
    • https://static.usrfiles.com/ugd/3aee12_815a206480d748139d01f82f83fe2206.pdf
    • https://cdn.shopify.com/s/files/1/0429/4764/1511/files/44342685634.pdf
    • https://cdn.shopify.com/s/files/1/0432/3010/1668/files/70658323677.pdf
    • https://cdn.shopify.com/s/files/1/0437/7713/0647/files/standard_queen_bed_sheet_size.pdf
    • https://cdn.shopify.com/s/files/1/0431/0623/8613/files/ripada.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006cd9.bin
46df7b4f0293e604386a55728b8ddc5ec7158f2db0e43d709e454f24ea30dd8f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CD9 5312 bytes
font_01_sfnt_off00007eda.bin
d78c1bd55f1e069e5f19bb87ef26c86ecdf52c1cc8ee3645b9e7d4a22bdf847e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EDA 10220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.