Malicious PDF — malware analysis report

Static analysis result for SHA-256 faf1f3c11b41fa9d…

MALICIOUS

PDF

44.9 KB Created: 2020-08-12 13:25:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6b0821fe8846a9365590931cadbc2ed0 SHA-1: cc49300a0dd203cd5295f41b32078721de7a00af SHA-256: faf1f3c11b41fa9dcbb8c1f55b65f5fdb5ea04ac82410cb7a9937dc077543f84
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded links, with one identified as a malicious redirector pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains the same URL. This indicates a clear intent to redirect the user to a potentially harmful site. The presence of a large number of external PDF links also suggests a link farm or SEO manipulation tactic.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=workplace+spirituality+and+employee+engagement+pdf
    • http://noneruf.fbctitusville.org/uploads/1/3/1/8/131857334/3021f1f7d0622c4.pdf
    • http://files.emmakayonline.com/uploads/1/3/1/6/131607027/a58e57276b8d9fc.pdf
    • http://winapox.jennypiersol.com/uploads/1/3/1/6/131637254/9672545.pdf
    • https://cdn.shopify.com/s/files/1/0439/4975/2478/files/721596236.pdf
    • https://cdn.shopify.com/s/files/1/0434/5613/5334/files/prevention_of_rh_d_alloimmunization_acog.pdf
    • https://cdn.shopify.com/s/files/1/0434/0688/5027/files/wupijutonavu.pdf
    • https://cdn.shopify.com/s/files/1/0428/2135/3635/files/41131511300.pdf
    • https://cdn.shopify.com/s/files/1/0437/2886/3397/files/kigot.pdf
    • https://cdn.shopify.com/s/files/1/0431/9330/3204/files/97028135556.pdf
    • https://cdn.shopify.com/s/files/1/0431/9156/6493/files/japanese_text_faces.pdf
    • https://cdn.shopify.com/s/files/1/0432/0142/9662/files/nodagezifezidomoletiju.pdf
    • https://cdn.shopify.com/s/files/1/0440/5598/6326/files/xixirufuwunanefeseri.pdf
    • https://cdn.shopify.com/s/files/1/0434/4663/2615/files/quran_made_easy.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/sedafasejizal.pdf
    • https://cdn.shopify.com/s/files/1/0430/2402/3715/files/lutheran_liturgical_calendar_2020.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006fc2.bin
2955bc8dbed5eb277841030fefca1b8f59ba83a4026b94e221da3b5b61043186		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FC2 5656 bytes
font_01_sfnt_off000082fd.bin
cbe21d394868e1bca2c10c69256fa660a3dac11932ca82e3c815782ff32e8961		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82FD 10212 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.