Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c076d27c77ef831…

MALICIOUS

PDF

53.5 KB Created: 2020-09-19 18:38:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4e35dde6fa15d4370959b83fa2cdcc95 SHA-1: 36c36e5072f7443397f4addb189da106f2e3874a SHA-256: 2c076d27c77ef83103a78d9e90a243e7d8952d1563971a097b1f8bb530e3f7d8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to a link farm designed for SEO manipulation. One prominent link, 'https://ttraff.me/wix?keyword=complementary+and+supplementary+angles+worksheet+kuta+answers', is identified as a malicious redirector. The document body, though heavily obfuscated, contains text related to 'complementary and supplementary angles worksheet kuta answers', suggesting a lure to trick users into clicking the malicious link. No scripts were extracted, but the PDF structure and link farm indicate a delivery mechanism for further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=complementary+and+supplementary+angles+worksheet+kuta+answers
    • http://files.seaportside.com/uploads/1/3/1/3/131379724/wosolej.pdf
    • http://files.lazarlab.org/uploads/1/3/1/3/131380052/4232206.pdf
    • http://xodove.swanseafalcons.com/uploads/1/3/1/3/131381910/vivojulupijapigox.pdf
    • http://files.jesstracey.com/uploads/1/3/2/6/132696077/0fdc5739a3a.pdf
    • http://ximogul.ourpeaherpod.com/uploads/1/3/1/4/131453330/tagusakisajosa.pdf
    • https://94de198e-ec2d-4fd1-b589-f225fb241bd1.filesusr.com/ugd/3fd21f_4f004bfd227644e4952c126cd6c6bca9.pdf?index=true
    • https://56c1a584-e895-4438-9957-42ab207cfe85.filesusr.com/ugd/49be48_e986c63c146b4bb7aa087ea779630f4e.pdf?index=true
    • https://13f6b512-7569-4dc9-a5b4-6d7eedcef97b.filesusr.com/ugd/cacfd7_7c9aa1da40ab428da124933527c3ca35.pdf?index=true
    • https://97bbd10c-3b83-444e-843a-09ae94dcc4a2.filesusr.com/ugd/5cd33b_e6c426351c7140b5b03e7052b59d317b.pdf?index=true
    • https://5bc5cb59-07e8-4e7b-aa6d-cb67b2dce669.filesusr.com/ugd/c5d40f_a7adadc1c83349cbb8b1f052608405fb.pdf?index=true
    • https://daafe15a-6ff1-478d-8aae-3017d8c86e88.filesusr.com/ugd/e50c99_af90e9a36d8e4126ac5044102303ab36.pdf?index=true
    • https://f819f4b8-9e10-4c01-9bdf-747f39dd616b.filesusr.com/ugd/b4f0c6_4f1d0f08cd9e486aaaf2185c3295cb85.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000088cb.bin
572e844da140455b2bbea9ce2ff06851a09b14fdf17d337ee86dfacfc386bffb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88CB 5536 bytes
font_01_sfnt_off00009b86.bin
94b3e9cf8ced9d3716b7bc92ec42654d176b0b1950146eebd2ed7fbb4c6c05bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B86 14436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.