Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f301c7177683747…

MALICIOUS

PDF

81.2 KB Created: 2020-09-16 19:10:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ef1ab39f2208a4afa9923a3dcbe71f95 SHA-1: 1185e5344a858eab497b16e55f00ef864ab76f9a SHA-256: 3f301c71776837473e0bde6035b39405c2f71f45b5fef386d86f727d3930c6de
170 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains multiple embedded links, with one identified as a malicious redirector. The document's content and structure suggest an advance-fee scam, attempting to lure users with a fake worksheet and then redirecting them to a malicious URL. The presence of numerous links, including a primary malicious redirector, indicates a high likelihood of this document being used for phishing or malware distribution.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=calorimetry%20practice%20problems%20worksheet%20answers
    • https://654c680d-7028-4ef6-b939-33a0fd111886.filesusr.com/ugd/b58d21_66776b48b67f4720a26606bc7c732502.pdf?index=true
    • https://35a19606-992e-4ade-b3ee-77582dea20f5.filesusr.com/ugd/36d413_376a8f37161e49f4a73d1c9dc70d3997.pdf?index=true
    • https://1899ccc2-3c86-4f4f-b3f7-8fc93a3367b9.filesusr.com/ugd/d5cf39_4c6b8563a0574063a4cff80679b9421f.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0438/6547/3189/files/nafulebupo.pdf
    • https://cdn.shopify.com/s/files/1/0470/5851/8184/files/kendo_scheduler_mvc_event_template.pdf
    • https://cdn.shopify.com/s/files/1/0433/8922/3066/files/command_for_keep_inventory.pdf
    • https://a4ecb70f-176d-427f-96df-bf8e00e39159.filesusr.com/ugd/8a4248_0ea6035a71dc4be694bd770ef0b70375.pdf?index=true
    • https://5dfeb599-f143-4970-b5be-b223d44f6c45.filesusr.com/ugd/b0b521_bed24e03c49b47de95466a29b0fdaf13.pdf?index=true
    • https://9688388c-c70d-4557-be88-8fc883007d32.filesusr.com/ugd/c4dbd3_c59d872d785840bb9937908f41ffd7f1.pdf?index=true
    • https://87bd2be3-48db-45d5-b646-fa34ed482961.filesusr.com/ugd/21e9e0_5e2c0fda02294aeca6fc14352a2fd1e1.pdf?index=true
    • https://8243fd30-5c7e-4ab8-adbf-d40a5bb56291.filesusr.com/ugd/067ecb_6c8d3b1a69bf4712b4451a17c7483f91.pdf?index=true
    • https://aaae3763-2217-4799-926d-2464c670e026.filesusr.com/ugd/36d413_fa883490fb1647978c6fcf992363a12a.pdf?index=true
    • https://9834be7d-f8be-4c51-86ea-b7bae638e17c.filesusr.com/ugd/96564c_cdc0f1345d034cb89cf290f212c19bb4.pdf?index=true
    • https://af591e4f-daaf-4685-a131-d67185808cb9.filesusr.com/ugd/312e0e_c4671e86dd664af89be82d5644024329.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea88.bin
dd7b880f1c6958317b71933e3175eb4154b1281d355b69180e4ce829e506ee21		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA88 2828 bytes
font_01_sfnt_off0000f482.bin
5029936559ab81d7b79818bf5754848304344435e30481919594daec54b9e472		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF482 5384 bytes
font_02_sfnt_off000106b5.bin
5d4382ae4477d7bc8d3bd3b132bf79d49169e140630222618e6497498a1df91d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106B5 9976 bytes
font_03_sfnt_off000128c4.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x128C4 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.