Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff8fb6ce7aecafda…

MALICIOUS

PDF

49.9 KB Created: 2020-08-07 05:13:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8a0f5c6d75be44f06d59e73c4af5736e SHA-1: 41fabc692e83a9b26009b42135979d0fdd606e45 SHA-256: ff8fb6ce7aecafda90f5c63eaad9cc1cbfa8cc9b6bddea4d3b5fb9ad6c21680c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains embedded links that point to a known malicious redirector, ttraff.com, which is designed to lead users to further malicious content. The document body, though heavily obfuscated, contains text related to 'acls test questions and answers pdf 2020' and the malicious URL, suggesting a lure to trick users into clicking the link. The presence of numerous external PDF links, many hosted on shopify.com, indicates a link farm strategy to improve SEO and potentially distribute malicious files.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=acls+test+questions+and+answers+pdf+2020
    • http://files.darpaulrevere.org/uploads/1/3/0/7/130740213/9589335.pdf
    • http://files.eastmallinginstitutehall.co.uk/uploads/1/3/1/4/131453248/6384483.pdf
    • http://files.jjjohnsonauthor.com/uploads/1/3/1/4/131437268/lotoxaboxubuw.pdf
    • http://files.justbeyou.earth/uploads/1/3/1/8/131856034/sifawudepaxoxifo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/44329390643.pdf
    • https://cdn.shopify.com/s/files/1/0437/8004/6997/files/tasegiguzakode.pdf
    • https://cdn.shopify.com/s/files/1/0430/4162/0119/files/perixutojav.pdf
    • https://cdn.shopify.com/s/files/1/0431/9540/0356/files/vikuvag.pdf
    • https://cdn.shopify.com/s/files/1/0431/6413/9674/files/jekewipobej.pdf
    • https://cdn.shopify.com/s/files/1/0428/0510/0707/files/fagaluku.pdf
    • https://cdn.shopify.com/s/files/1/0432/1991/0813/files/eichmann_em_jerusalm_livro.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/setixinojed.pdf
    • https://cdn.shopify.com/s/files/1/0433/5471/8358/files/begilegomox.pdf
    • https://cdn.shopify.com/s/files/1/0433/5435/7910/files/15929561105.pdf
    • https://cdn.shopify.com/s/files/1/0428/7237/3414/files/lazemiravizarokeramemi.pdf
    • https://cdn.shopify.com/s/files/1/0429/5327/7603/files/the_almanac_of_american_politics_2020.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000834b.bin
60864d675a729cd4e335cf89e90cd9b1b312b55826346eb7ae423d5c850ec836		 pdf-font-stream PDF embedded font (sfnt) at offset 0x834B 5632 bytes
font_01_sfnt_off00009699.bin
b04a20510d48e96982382eeec2f15a97413c0342873c5ddc9a9d52d7d163cc2d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9699 10536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.