Malicious PDF — malware analysis report

Static analysis result for SHA-256 492ce8c0b1ac91fe…

MALICIOUS

PDF

35.1 KB Created: 2020-08-04 21:31:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 746ff03ed8e75c48e0a49e1358a4d12d SHA-1: 4dae806fe31a111e183bd70782ed6e401366e480 SHA-256: 492ce8c0b1ac91feb7d857d4798b86d76ad4da9aa69fc40af43057acbc449def
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a link farm, with the primary malicious link directing users to a redirector. The document body, though heavily obfuscated, contains text related to 'Ielts writing test answer sheet pdf', suggesting a lure. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK indicates the primary URL is associated with malicious redirector infrastructure. The PDF_SEO_LINK_FARM heuristic indicates the document is designed to host numerous external links, likely for SEO manipulation or to distribute further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=ielts+writing+test+answer+sheet+pdf
    • http://files.gbartistsassociation.com/uploads/1/3/2/6/132695572/dakozodenasibe.pdf
    • http://files.jbs-publishing.com/uploads/1/3/1/3/131379540/kopiber-bofimemam-zatulor.pdf
    • http://files.aa-gue.com/uploads/1/3/1/6/131607027/duzeligatamuxu.pdf
    • http://jetede.napashuttlelimousine.com/uploads/1/3/1/0/131070872/495652.pdf
    • https://cdn.shopify.com/s/files/1/0444/0319/6070/files/music_torrenting_sites_reddit.pdf
    • https://cdn.shopify.com/s/files/1/0429/3538/6275/files/mazubiposomivif.pdf
    • https://cdn.shopify.com/s/files/1/0437/0402/5243/files/cooking_recipes_classic_wow.pdf
    • https://cdn.shopify.com/s/files/1/0429/9656/4131/files/95255160676.pdf
    • https://cdn.shopify.com/s/files/1/0434/7101/2006/files/biogeochemistry_an_analysis_of_global_change_3rd_edition.pdf
    • https://cdn.shopify.com/s/files/1/0432/1129/2829/files/74058818770.pdf
    • https://cdn.shopify.com/s/files/1/0434/9899/5878/files/tame_impala_currents_torrent.pdf
    • https://cdn.shopify.com/s/files/1/0429/8801/1673/files/57599699481.pdf
    • https://cdn.shopify.com/s/files/1/0430/8962/5241/files/padadipaxekunojudixo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000045f0.bin
ab4ef1afb7387fa20c5c9ea6efd305938e51aa8392cfd169790e4e2754e1b606		 pdf-font-stream PDF embedded font (sfnt) at offset 0x45F0 5332 bytes
font_01_sfnt_off0000581f.bin
9baccdc4931f4ce8322809e6e3914de36d14b6ad5caac349cb9a44e8e7720f2b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x581F 14240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.