Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b02e32ab96434bf…

MALICIOUS

PDF

37.1 KB Created: 2020-09-12 02:06:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3c2791b56c25cf0c10421798ace2cbf8 SHA-1: b29aa424da4152b23b991c8494d02b1f448e0581 SHA-256: 3b02e32ab96434bfbb94af3e53f5ef1a9d9b082501238782ddc98802dcc18610
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to domains designed to host further PDF files, creating a link farm. One of the primary links redirects through a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'handwriting worksheets kindergarten pdf' and the malicious URL, suggesting a lure to disguise the malicious intent. The heuristics indicate the PDF is a malicious redirector and part of a link farm.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=handwriting+worksheets+kindergarten+pdf
    • http://devepib.tonistouchbeautysupplyllc.com/uploads/1/3/2/6/132695643/2ecb6a.pdf
    • http://kaxojok.betaniadigiannagelfusa.org/uploads/1/3/0/7/130739723/pusokar_widofibejobuper.pdf
    • http://vivave.donjitsudodojo.com/uploads/1/3/1/4/131453197/wapixiduvanitigom.pdf
    • http://files.laosyogaretreats.com/uploads/1/3/1/3/131384635/famafag.pdf
    • https://cdn.shopify.com/s/files/1/0431/5866/7430/files/caravan_war_tower_defense_mod_apk.pdf
    • https://cdn.shopify.com/s/files/1/0428/0451/0887/files/rowidewusa.pdf
    • https://static.usrfiles.com/ugd/466fa0_e15972aebc1c40fdaba2ee477cc4ca46.pdf
    • https://static.usrfiles.com/ugd/f7fbc8_c2a4cab3809e43dfbf2be29e6f340727.pdf
    • https://static.usrfiles.com/ugd/d4c4cf_7a6aaa23a84b447e9dcf69b981c64f2c.pdf
    • https://static.usrfiles.com/ugd/0c60a0_66d75665b26548e3a9ca9526c441a8ff.pdf
    • https://static.usrfiles.com/ugd/93971e_1fd9f52153084a45804569fb99a5b8bd.pdf
    • https://static.usrfiles.com/ugd/83b1b3_03d968e51cea40f4afc4847787ffbabe.pdf
    • https://static.usrfiles.com/ugd/76156b_a0f7da9103d040a28630a9f4352c5c73.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000532e.bin
a2fe2251dc91e39670598ec655966122c32a43dc7787f9669f7ff85a38cccc17		 pdf-font-stream PDF embedded font (sfnt) at offset 0x532E 5388 bytes
font_01_sfnt_off0000658f.bin
09f8275289291bfd981432058f2df112dcf7c1ee2e4ae3b3658dfd87d770f0bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x658F 10008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.