Malicious PDF — malware analysis report

Static analysis result for SHA-256 fdafd8cdb601871e…

MALICIOUS

PDF

45.4 KB Created: 2020-10-17 19:35:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5b5556590730ed3996c3d234da371ef0 SHA-1: 40f793005ac0e1f95076f33b6f33d2e41e75ff7b SHA-256: fdafd8cdb601871edf0e9e7be8446d31bf6c7dcc81330db076147684db2af81a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1059.001 Command and Scripting Interpreter: PowerShell T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.link/123?keyword=esl+needs+analysis+questionnaire+pdf', is designed to redirect users to malicious infrastructure. The document also exhibits characteristics of a link farm, with numerous external PDF links, suggesting an attempt to manipulate search engine results or distribute content broadly. The presence of a malicious redirector indicates a phishing or social engineering attempt to lure users to a harmful site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/123?keyword=esl+needs+analysis+questionnaire+pdf
    • https://cdn-cms.f-static.net/uploads/4366040/normal_5f870264d1853.pdf
    • https://cdn-cms.f-static.net/uploads/4376371/normal_5f89e20ae3fd2.pdf
    • https://cdn-cms.f-static.net/uploads/4365551/normal_5f88ad10ce103.pdf
    • https://cdn-cms.f-static.net/uploads/4379859/normal_5f8b03d1a1c69.pdf
    • https://cdn-cms.f-static.net/uploads/4378379/normal_5f8b021178d2e.pdf
    • https://cdn-cms.f-static.net/uploads/4367287/normal_5f899cfd6a3dd.pdf
    • https://cdn-cms.f-static.net/uploads/4369323/normal_5f89a39ebaa59.pdf
    • https://cdn-cms.f-static.net/uploads/4367312/normal_5f89d87d6d486.pdf
    • https://cdn-cms.f-static.net/uploads/4367299/normal_5f888307c1623.pdf
    • https://cdn-cms.f-static.net/uploads/4368955/normal_5f89cc1c336d4.pdf
    • https://walijogopabo.weebly.com/uploads/1/3/0/7/130776167/fubol-tusutexadagaral.pdf
    • https://vafuzetok.weebly.com/uploads/1/3/2/7/132740798/358433.pdf
    • https://bedizegoresupa.weebly.com/uploads/1/3/1/3/131379398/c6f03.pdf
    • https://cdn.shopify.com/s/files/1/0484/2763/0744/files/tavivuwulaxa.pdf
    • https://cdn.shopify.com/s/files/1/0429/5789/7882/files/lopudafizuz.pdf
    • https://cdn.shopify.com/s/files/1/0497/2940/5108/files/speaking_fce_part_1_questions.pdf
    • https://cdn.shopify.com/s/files/1/0495/6566/3384/files/trx_core_workout.pdf
    • https://cdn.shopify.com/s/files/1/0466/5281/7573/files/advanced_custom_fields_documentation.pdf
    • https://cdn.shopify.com/s/files/1/0438/2703/6322/files/worksheet_lab_safety_symbols.pdf
    • https://cdn.shopify.com/s/files/1/0481/6443/8173/files/how_to_summon_queen_bee_1.4.pdf
    • https://cdn.shopify.com/s/files/1/0482/1788/2776/files/pubodifewe.pdf
    • https://uploads.strikinglycdn.com/files/d81faec2-1d05-4216-97a5-eae549c98a71/jotatir.pdf
    • https://uploads.strikinglycdn.com/files/dfb124e9-dd80-4fce-acff-26f6923ff2ca/63096452647.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://uploads.strikinglycdn.com/files/dfb124e9-dd80-4fce-acff-2

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000072d9.bin
0906545733a50a2df9a4e1480f78e3c0799b0ea4a7af684684d9e66eddb0b2ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72D9 5220 bytes
font_01_sfnt_off000084b1.bin
9275061410a1db48959025a5f1a64b9dbcb9aa364d4498bf7a8152237b942a29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84B1 10632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.