Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c8085c428af0492…

MALICIOUS

PDF

42.9 KB Created: 2020-09-16 19:55:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 93b7e1e96166fae956371f66f1be799b SHA-1: d0446f7e6b469cdf8d19954c4fa3f59eb8a4835c SHA-256: 3c8085c428af0492d2e1f4905dc8ba1fdc64812a8557894f82ee287a780e526a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF file contains numerous embedded links, including a critical redirector link to 'https://ttraff.link/wix?keyword=ap+world+history+chapter+15+pdf'. This suggests a social engineering attack aiming to trick users into clicking the link, likely leading to a malicious site or download. The document body, though heavily obfuscated, contains the same lure text and URLs, reinforcing the attack pattern. The presence of multiple PDF links also indicates a link farm strategy to improve search engine visibility for malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=ap+world+history+chapter+15+pdf
    • http://files.genauxphotography.com/uploads/1/3/2/6/132681949/4665580.pdf
    • http://files.tmpropertysolutions.com/uploads/1/3/1/3/131381539/kivokigatofujew_besizu_nateju.pdf
    • http://files.mariaevagorou.com/uploads/1/3/0/8/130814056/rozurefameze.pdf
    • https://6fea5e09-e306-4ec0-8995-2dce0ccc0383.filesusr.com/ugd/38eac1_d6a78eb285194748ae8281be1f450fa0.pdf?index=true
    • https://36124a77-65d9-48c3-bb75-7bdc13e7cc62.filesusr.com/ugd/d31907_bcd6426e0eae45eabd9c41ee3370789e.pdf?index=true
    • https://3859f92a-a417-4fdb-9b9c-7371db963ba6.filesusr.com/ugd/fb5067_170b926e36564190b81ae7f95afdd242.pdf?index=true
    • https://f41e8e14-56a9-4d34-974a-c6cb15f1b27b.filesusr.com/ugd/6924eb_cc0da0ffdf384ebdb4c5e5887fa60c20.pdf?index=true
    • https://74a192a9-b85c-4979-82af-f3607e1378a6.filesusr.com/ugd/18574e_bb471c7841a24cbfb7816aa200feb7a2.pdf?index=true
    • https://cb6dea7f-6d99-4d07-aa42-7f7eb2e4e046.filesusr.com/ugd/c1108c_208f070f04a344b89d1d17671c6b3d66.pdf?index=true
    • https://3bbadb02-0c53-4fe9-8bcd-a675c04ba983.filesusr.com/ugd/724bd4_45f1e0a4005341b794114c44bc093dfd.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000698d.bin
a46267c667b4ca23bc8270328a9770fb72af3f2caf0bbd89cde984931d1103ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x698D 5600 bytes
font_01_sfnt_off00007cb5.bin
eb33049e037e0856cea91bc715e5d2aae533b02c3adcec725e75ac219db5d90d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CB5 10156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.