Malicious PDF — malware analysis report

Static analysis result for SHA-256 f0c4c5c9b5dca765…

MALICIOUS

PDF

37.7 KB Created: 2020-08-22 21:04:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 73318baab77016787e2a10e6861a1b3d SHA-1: 102b82676b7315db8681a1824d5a83eeaa075735 SHA-256: f0c4c5c9b5dca765c1069761b486bc0f46ee853989f3d8007263d824becc38c7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK indicating a link to ttraff.cc. This suggests the document is designed to redirect users to malicious infrastructure. The document body, though partially corrupted, contains the text 'Drawing cubes worksheet', likely a lure to entice users to click the embedded links. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=drawing+cubes+worksheet
    • http://fogirizax.mitchadvent.com/uploads/1/3/1/6/131637046/tajujisokifa_gojedomobeke.pdf
    • http://musegiv.eunoiatherapy.com/uploads/1/3/1/6/131606968/xotopexejunesew_xorifaresusu.pdf
    • http://segikawi.internallyflawless.net/uploads/1/3/0/7/130738748/foxaxumegew.pdf
    • https://cdn.shopify.com/s/files/1/0437/7663/9134/files/puzadopesaduserubi.pdf
    • https://cdn.shopify.com/s/files/1/0432/0722/9597/files/9736794152.pdf
    • https://cdn.shopify.com/s/files/1/0438/2985/4368/files/potibim.pdf
    • https://cdn.shopify.com/s/files/1/0431/1692/0996/files/romevapiwuratup.pdf
    • https://cdn.shopify.com/s/files/1/0430/6577/0135/files/catholic_mass_readings_2020.pdf
    • https://cdn.shopify.com/s/files/1/0429/7719/8229/files/sefinopafujodadozozumi.pdf
    • https://cdn.shopify.com/s/files/1/0431/2819/3184/files/bleach_vs_naruto_apk_3._3.pdf
    • https://cdn.shopify.com/s/files/1/0430/4230/8250/files/invoker_dota_1.pdf
    • https://cdn.shopify.com/s/files/1/0438/2952/6690/files/anita_moorjani_dying_to_be_me.pdf
    • https://cdn.shopify.com/s/files/1/0430/4856/6938/files/41154929035.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000054be.bin
c9489ce38d03299d41e991f325d0363257f06a6520b73a38cc22cb90c3a4a0b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54BE 5324 bytes
font_01_sfnt_off000066e5.bin
43cd397c962d69862a5ffb7ebd688c9b6f0091f714d5eca1d858147e6b091ac2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66E5 10364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.