Malicious PDF — malware analysis report

Static analysis result for SHA-256 49af6aba949dfbcf…

MALICIOUS

PDF

61.3 KB Created: 2020-09-05 01:00:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7ef1b4fa5cae48a614509a7612044aec SHA-1: da1700ab7c61dc2b57aeb75a1b233ee7ebd6d156 SHA-256: 49af6aba949dfbcf2e1692acc7bd0974b8412b1a4fa829f124f56c4bf3a6f911
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, disguised as a kindergarten math worksheet. The embedded URL, https://ttraff.me/wix?keyword=kindergarten+math+worksheets+with+pictures, is the primary indicator of malicious intent, likely leading to a phishing or malware download page. The file's structure and content strongly suggest a social engineering attack.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=kindergarten+math+worksheets+with+pictures
    • https://static.usrfiles.com/ugd/c0b427_78581d4544c4477ca6b14871dd595ace.pdf
    • https://static.usrfiles.com/ugd/78c764_f495b9e8841742eca6237914b179419a.pdf
    • https://static.usrfiles.com/ugd/4117a9_b0ebd8c2be8948f585ff143d5a39367d.pdf
    • https://static.usrfiles.com/ugd/78c764_1ea36aefe9b242a892599ad354095ecf.pdf
    • https://static.usrfiles.com/ugd/badafb_e3d8edf22ab1493bb47b2fc60b438a7e.pdf
    • https://static.usrfiles.com/ugd/a2ebd8_ed4b0154f7b842989efe6bfbce4961a1.pdf
    • https://static.usrfiles.com/ugd/954c8b_de48c1c23333496cba1fc97a046cc1db.pdf
    • https://static.usrfiles.com/ugd/d54300_6274418f9f3a4889aacc36a60e3fb984.pdf
    • https://cdn.shopify.com/s/files/1/0451/5836/7386/files/vilovilapezasowidujem.pdf
    • https://cdn.shopify.com/s/files/1/0432/6113/2968/files/arduino_uno_r3_manual.pdf
    • https://cdn.shopify.com/s/files/1/0433/5747/0870/files/banting_green_list_south_africa.pdf
    • https://cdn.shopify.com/s/files/1/0440/5005/5318/files/65937621631.pdf
    • https://cdn.shopify.com/s/files/1/0431/8219/4847/files/15438743623.pdf
    • https://cdn.shopify.com/s/files/1/0432/5857/7046/files/28299559295.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ab5c.bin
c867bd79841fdb5e1370c45bd7e6a6de9c82a86641f2b5b45efa54e2743363d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB5C 5580 bytes
font_01_sfnt_off0000be3c.bin
186ca765fe2f8f89b63f7c09ee459a25e73c9853149f5a008dcdc9c37798e7d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBE3C 13460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.