Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8afd760f3998e3d…

MALICIOUS

PDF

34.1 KB Created: 2020-08-09 00:55:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7c0f89207b92a9513050b0dd94cca041 SHA-1: adc6ed09f84d09fc092e63f9f3d998424f949d42 SHA-256: f8afd760f3998e3df835b5cc0c29800635177e6ffe63c1435b798ebf41ca1a54
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to external PDF files hosted on various domains, including a link farm on Shopify. One of the primary links redirects to a known malicious redirector 'ttraff.cc'. This suggests a social engineering tactic to distribute malicious content or lead users to phishing sites under the guise of providing academic resources. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the exact lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=philosophy+for+understanding+theology+pdf
    • http://files.bluemulefiber.com/uploads/1/3/1/4/131482823/komolawezokunufoz.pdf
    • http://files.stmatthiasminocqua.com/uploads/1/3/1/1/131163976/kasalasanomu.pdf
    • http://zoduro.lutiesplace.com/uploads/1/3/1/6/131636612/77dce0a25b.pdf
    • https://cdn.shopify.com/s/files/1/0429/4891/9450/files/rulupojalemitapuwiniki.pdf
    • https://cdn.shopify.com/s/files/1/0432/1047/3633/files/54606944698.pdf
    • https://cdn.shopify.com/s/files/1/0434/6108/3288/files/jaxeraxebetemebusiwas.pdf
    • https://cdn.shopify.com/s/files/1/0430/7927/0549/files/45161616657.pdf
    • https://cdn.shopify.com/s/files/1/0429/7146/3831/files/pilivimerosojedavefuk.pdf
    • https://cdn.shopify.com/s/files/1/0428/2603/9452/files/vikujujidop.pdf
    • https://cdn.shopify.com/s/files/1/0431/0571/4338/files/xabuvojisu.pdf
    • https://cdn.shopify.com/s/files/1/0434/0976/8604/files/59540291295.pdf
    • https://cdn.shopify.com/s/files/1/0430/8343/2096/files/95827997259.pdf
    • https://cdn.shopify.com/s/files/1/0427/8904/4383/files/71886696922.pdf
    • https://cdn.shopify.com/s/files/1/0428/4717/4812/files/tokimobazevosexis.pdf
    • https://cdn.shopify.com/s/files/1/0435/3510/6203/files/vodimawavunipumoverotan.pdf
    • https://cdn.shopify.com/s/files/1/0432/6886/6212/files/bovuzoxavo.pdf
    • https://cdn.shopify.com/s/files/1/0429/9027/2675/files/49944636553.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000047de.bin
0c99b803f379616e7d0c82120e94153ca9e326f2ff61c4e0f76dc3e7185afc39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x47DE 5408 bytes
font_01_sfnt_off00005a48.bin
531574ef3ec54d5efd68b3d6469a8dd2ee721fea83f528a91ba90cec5916b402		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A48 9744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.