Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa2980daed5f1739…

MALICIOUS

PDF

44.7 KB Created: 2020-08-22 08:59:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 843fa65cdd280553a60e8198934144d0 SHA-1: 2c8f3d0033b5e09b4e89bdb34e6c667683b9799f SHA-256: fa2980daed5f173992a2f096cce909e0d7b124114062c19034896d09583abf40
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=evaluation+sheet+template+excel'. This indicates the document's primary purpose is to redirect users to a malicious site. Additionally, the PDF exhibits characteristics of a link farm, embedding numerous external links, many of which point to Shopify domains hosting PDF files, likely to manipulate search engine results or distribute further malicious content. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=evaluation+sheet+template+excel
    • http://files.elizabethwright.net/uploads/1/3/1/4/131483662/9037417.pdf
    • http://lafuton.nathanielrichguitars.com/uploads/1/3/1/4/131437812/zamexogorasobo_tavexedimovuja.pdf
    • http://pukigebaz.nileswesttheatre.com/uploads/1/3/0/8/130813780/lelatisitiliru-zofojebi-begowumunulijas.pdf
    • https://cdn.shopify.com/s/files/1/0438/1304/4386/files/cambridge_english_complete_pet_student_s_book_with_answers.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/8003629611.pdf
    • https://cdn.shopify.com/s/files/1/0434/9768/5157/files/napas.pdf
    • https://cdn.shopify.com/s/files/1/0428/0621/4819/files/11529602745.pdf
    • https://cdn.shopify.com/s/files/1/0437/1136/5272/files/dictionary_online.pdf
    • https://cdn.shopify.com/s/files/1/0429/9191/1066/files/wogavonenotalux.pdf
    • https://cdn.shopify.com/s/files/1/0430/4178/3959/files/kukebi.pdf
    • https://cdn.shopify.com/s/files/1/0432/7833/6165/files/35817949870.pdf
    • https://cdn.shopify.com/s/files/1/0440/6208/1174/files/quarterly_taxes_form_941.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000072d5.bin
0db9a37853480d671e978b9e6cbcbcb36d507a90a3b646b00af1cc1b03147b97		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72D5 5160 bytes
font_01_sfnt_off00008446.bin
d2eb2cad800f941606e2db38b61efe6b1c1f948ac0b5e483f7638916b27fd8b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8446 9852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.