Malicious PDF — malware analysis report

Static analysis result for SHA-256 febf6ba42a3e9388…

MALICIOUS

PDF

32.7 KB Created: 2020-08-01 09:17:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82649257b8e46db59caac8cf6fe94fe3 SHA-1: 6a3680f081cea1ad1af8cdc10f987bfc5adae928 SHA-256: febf6ba42a3e938859d74c9a47dbead54e9a276cf6450a9c0ac4133e0cdc4a59
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with one identified as a malicious redirector. The document body appears to be obfuscated or corrupted, but the presence of numerous external PDF links suggests a link farm or SEO manipulation tactic. The primary malicious URL is https://ttraff.cc/pify?keyword=accuweather+norfolk+ne, which likely leads to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=accuweather+norfolk+ne
    • http://files.landfallcert.com/uploads/1/3/0/9/130968931/e8d1504.pdf
    • http://files.thesoundingboardteachingministries.com/uploads/1/3/1/0/131070045/kevisadamawok.pdf
    • http://files.woolardcoinsupplies.com/uploads/1/3/1/0/131070152/lomatejafumam.pdf
    • http://files.dad-ventures.com/uploads/1/3/0/7/130739802/runirofopesu.pdf
    • http://files.armstrongchoirs.org/uploads/1/3/1/3/131383318/zoribasefuzowep.pdf
    • https://cdn.shopify.com/s/files/1/0429/8548/8543/files/wakoxodizujilurifi.pdf
    • https://cdn.shopify.com/s/files/1/0435/5375/1189/files/239370106.pdf
    • https://cdn.shopify.com/s/files/1/0430/6042/8962/files/64665922651.pdf
    • https://cdn.shopify.com/s/files/1/0430/9044/4445/files/59573441520.pdf
    • https://cdn.shopify.com/s/files/1/0433/7133/1742/files/juginizepoke.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/nanejixiv.pdf
    • https://cdn.shopify.com/s/files/1/0430/4509/3533/files/98109195340.pdf
    • https://cdn.shopify.com/s/files/1/0430/9201/7305/files/6344710334.pdf
    • https://cdn.shopify.com/s/files/1/0432/0778/6651/files/2893048308.pdf
    • https://cdn.shopify.com/s/files/1/0430/5253/1869/files/75874304076.pdf
    • https://cdn.shopify.com/s/files/1/0434/0118/3397/files/jexikabimikurug.pdf
    • https://cdn.shopify.com/s/files/1/0430/1737/1797/files/lupebemuzifutosipilokato.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000464e.bin
c41343a81dd1b2a9536a59260c254dd5b5540cb80e507967999c18f6760c0282		 pdf-font-stream PDF embedded font (sfnt) at offset 0x464E 4936 bytes
font_01_sfnt_off00005728.bin
d03f1a64ba9a87e89cd95324402455a73852a749ef47de8c40c6c730a1935ce5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5728 9148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.