Malicious PDF — malware analysis report

Static analysis result for SHA-256 32be93671ad51cdc…

MALICIOUS

PDF

40.3 KB Created: 2020-08-09 01:12:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d714740d09c8cf66d63f2be7561ef813 SHA-1: 293e7c5b9cc2176c951241157bca1e486dc59b74 SHA-256: 32be93671ad51cdc66499a8fc14de0715a3ed4301e969f78ed3d3e8b9479faa8
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one critical heuristic identifying a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains text suggesting a lure for 'Biology projects for class 10 pdf' and includes the malicious URL. This indicates a phishing or social engineering attack aiming to redirect users to malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=biology+projects+for+class+10+pdf
    • http://tekuk.fjreitztheatre.com/uploads/1/3/1/6/131607163/boweronufugas.pdf
    • http://files.konidarissales.com/uploads/1/3/2/7/132740463/firepakef.pdf
    • http://files.withbecca.com/uploads/1/3/1/3/131384599/torujigekomorak-fupaso-difevefe-nilixo.pdf
    • http://files.ydlwithchristinasever.com/uploads/1/3/1/8/131871605/4677186.pdf
    • http://files.heartsofhorsehaven.org/uploads/1/3/2/6/132695280/lukumuxo-lamoj.pdf
    • https://cdn.shopify.com/s/files/1/0433/8604/4570/files/3992833870.pdf
    • https://cdn.shopify.com/s/files/1/0428/7099/7151/files/xemakumin.pdf
    • https://cdn.shopify.com/s/files/1/0434/5479/1832/files/25616964121.pdf
    • https://cdn.shopify.com/s/files/1/0431/0115/9575/files/53500167909.pdf
    • https://cdn.shopify.com/s/files/1/0436/3298/4222/files/zorusepopujitajev.pdf
    • https://cdn.shopify.com/s/files/1/0433/8535/6449/files/vagesomowibanu.pdf
    • https://cdn.shopify.com/s/files/1/0433/7234/7550/files/matenoduwiwugides.pdf
    • https://cdn.shopify.com/s/files/1/0430/9165/6864/files/bubamodufarilosubolu.pdf
    • https://cdn.shopify.com/s/files/1/0431/6318/9405/files/payday_loans_salem_oregon.pdf
    • https://cdn.shopify.com/s/files/1/0429/8942/0695/files/77124749418.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d5c.bin
2a6e382de0383660de5f7203cf8a94aa97c6b79a81f4ee854e66f7c608d1a764		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D5C 5744 bytes
font_01_sfnt_off00007113.bin
110c5a33901062ec91fec94960816bd32abd9411a96316dbe58da201435844a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7113 10344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.