PDF malware analysis — malicious · 1e858201bb9b65a3

MALICIOUS

PDF

38.9 KB Created: 2020-08-20 09:42:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 2d0462b76615f2fbb235be47e06f6a2c SHA-1: 0bf9bc400a31b850556c0b9d4d3c270e5d4a5fc9 SHA-256: 1e858201bb9b65a3db5fe4c1730f0d5f28880105af576437c8f9983c3f2e7eb0

130 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a lure for homework answers, which is a common social engineering tactic. It embeds numerous links, with one specifically identified as a malicious redirector: https://ttraff.com/pify?keyword=homework%2523+2+economics+e+napp+answers. This redirector likely leads to a malicious payload or phishing page. The presence of multiple Shopify links suggests an attempt to blend in with legitimate content while distributing the malicious link.

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=homework%2523+2+economics+e+napp+answers
- http://files.thegutguys.com/uploads/1/3/1/3/131379353/kubotavo.pdf
- https://cdn.shopify.com/s/files/1/0431/7075/8820/files/ib_biology_biozone_workbook_answers.pdf
- https://cdn.shopify.com/s/files/1/0434/4581/3413/files/rapumibimidexezi.pdf
- https://cdn.shopify.com/s/files/1/0431/3694/2234/files/16948328416.pdf
- https://cdn.shopify.com/s/files/1/0437/1811/5480/files/ritusuvijasagigujisiza.pdf
- https://cdn.shopify.com/s/files/1/0434/1288/1564/files/30934244887.pdf
- https://cdn.shopify.com/s/files/1/0432/1204/6495/files/8047292994.pdf
- https://cdn.shopify.com/s/files/1/0429/8833/9354/files/tirorifutukonowasegiwajaw.pdf
- https://cdn.shopify.com/s/files/1/0430/1606/1091/files/26727509844.pdf
- https://cdn.shopify.com/s/files/1/0428/3557/4943/files/kejebikuwos.pdf
- https://cdn.shopify.com/s/files/1/0434/4587/8941/files/puwoxeg.pdf
- https://cdn.shopify.com/s/files/1/0434/4584/6168/files/wamiwazawuwejusu.pdf
- https://cdn.shopify.com/s/files/1/0432/6942/3269/files/2931617258.pdf
- https://cdn.shopify.com/s/files/1/0430/2834/9079/files/73150385617.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004f9d.bin` `ea384a61ba26ade55a1fcee9c465e8fbc447ece8ede6181c788c6d972b4fa466`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4F9D	4076 bytes
`font_01_sfnt_off00005d5a.bin` `b2352795bdd3dc3e76d68a2e92bcf1f48c3fa78e927980f453d6275bd73a4390`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5D5A	10168 bytes
`font_02_sfnt_off00007ff5.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7FF5	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.