Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d52b32355e3f4a8…

MALICIOUS

PDF

42.1 KB Created: 2020-09-06 07:41:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 63716d9f3b8147d6478e19edc11e3c65 SHA-1: a86f3681d7f13b4c180f3657105ee4d8c2c430ec SHA-256: 1d52b32355e3f4a8d09159ed54f097b0ee87254dc054eaeeae307561417f94f0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous links, including one pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text suggesting it is a lure for 'printable calendar worksheets'. The primary malicious IOC is the redirector URL, which likely leads to further malicious content. The presence of a link farm suggests an attempt to manipulate search engine results to distribute this lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=printable+calendar+worksheets+for+2nd+grade
    • https://static.usrfiles.com/ugd/2c76f4_985871aa6a674dcca47edb13944d9698.pdf
    • https://static.usrfiles.com/ugd/b8c837_c2385d517cd24c5f8a47f9ca32f2eb64.pdf
    • https://static.usrfiles.com/ugd/90d19e_0d52a149c9134a079e164cc449d44cc8.pdf
    • https://static.usrfiles.com/ugd/b8c837_b9dcbb7440464f94805d8184ef6f772f.pdf
    • https://static.usrfiles.com/ugd/7a359d_03a94f26275c450c9deeb65c01a7adfb.pdf
    • https://static.usrfiles.com/ugd/a44510_d54b9a83a7d94ebbb8dab9262b95ce21.pdf
    • https://static.usrfiles.com/ugd/b8c837_40a3304c0d1e49b8b5dd1affce370d43.pdf
    • https://static.usrfiles.com/ugd/dad90e_b1451270a9df4d85adbd4899c3dd1941.pdf
    • https://static.usrfiles.com/ugd/bdeb4c_3b1b01e5de35445a9e317cfae8b3ef95.pdf
    • https://cdn.shopify.com/s/files/1/0460/1869/1239/files/the_setting_sun_osamu_dazai.pdf
    • https://cdn.shopify.com/s/files/1/0433/7513/2821/files/butamunomofidipogubipot.pdf
    • https://cdn.shopify.com/s/files/1/0429/2640/7843/files/antagonismo_biologia.pdf
    • https://cdn.shopify.com/s/files/1/0437/8876/3298/files/64833238385.pdf
    • https://static.usrfiles.com/ugd/c4f63d_1a7c32eb759d4c438878ff073288e0c3.pdf
    • https://static.usrfiles.com/ugd/baef12_54c5f2f3ffb24793b25a51c0948cbd5f.pdf
    • https://static.usrfiles.com/ugd/078c79_e218b34861c44843a7f75d27d5870ac2.pdf
    • https://static.usrfiles.com/ugd/20d83a_6f05c20c25664ab39ae72d948bbfea96.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000666d.bin
cdf9e3203a7b7ebc3277f6b372972615859d245656b3c4a2bed8b9b26abdeccc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x666D 5712 bytes
font_01_sfnt_off000079eb.bin
ce8841409ada6d6fa60ae42520f6f0b3e30524fde609f649845e0a6a37f704f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79EB 9684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.