Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c30d20b67863f91…

MALICIOUS

PDF

42.6 KB Created: 2020-09-19 04:29:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9098a9bb1e1cfaacd9133e9bc5f40f6f SHA-1: d01c160028112464740f7eef3b34bf3832888aa7 SHA-256: 2c30d20b67863f910f0d513a89ed5ea54ff170251fb1b3af4e80e67a6ea2a307
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, identified as a link farm, designed to redirect users to potentially malicious websites. One such redirector is 'https://ttraff.link/wix?keyword=suma+de+fracciones+con+igual+denominador'. The document body, though heavily obfuscated, contains text related to summing fractions, likely a lure to disguise the malicious intent. The presence of numerous external PDF links suggests a SEO poisoning or traffic generation scheme.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=suma+de+fracciones+con+igual+denominador
    • http://mibos.losslessimagery.com/uploads/1/3/2/7/132740880/fugerajotu.pdf
    • http://files.longosfinancialmarket.com/uploads/1/3/2/7/132710704/b3a8520aa3b2c.pdf
    • http://files.allsaintsws.net/uploads/1/3/1/1/131164152/2054585.pdf
    • http://files.abcoindustrialsales.com/uploads/1/3/0/9/130970008/lezep.pdf
    • http://guremij.gratefulfredsukeleardeterrent.co.uk/uploads/1/3/1/4/131483147/9412581.pdf
    • https://cdn.shopify.com/s/files/1/0431/1734/6965/files/potuvibod.pdf
    • https://856736bf-ccdd-47b0-851a-e2da6c1e46c6.filesusr.com/ugd/120874_ac4a51ffb5d34c1bb16eae4a0c69dd58.pdf?index=true
    • https://a26eafca-a9ae-4d26-8f2a-aaa5ffbd34fe.filesusr.com/ugd/838e7e_42bf72545c55404e8f2ce7b09b1b1d2d.pdf?index=true
    • https://cef2c5fa-3e3c-4dbb-bd41-f269bca6c636.filesusr.com/ugd/d99ef3_63a79fa103874b9fab877f7efcdca19f.pdf?index=true
    • https://02d83a97-bd1c-4638-bf17-3f766874e41e.filesusr.com/ugd/8d57bd_521b3d24b1fe4e63b7c4df7a7c36eca3.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0438/3434/3586/files/91224376229.pdf
    • https://cdn.shopify.com/s/files/1/0434/1481/4885/files/principles_of_naval_architecture_volume_2.pdf
    • https://cdn.shopify.com/s/files/1/0431/7960/6176/files/49811493175.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/70934180934.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000678f.bin
856f0557f54bc5d02d1744f6ff564d94a2226e9208dd5f82f6a907efd3dd58c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x678F 5444 bytes
font_01_sfnt_off000079f8.bin
b421f6285291e386e720626ed0fd247cff9646d7518b153fbf62b9d8e2b258a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79F8 10936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.