Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b0315a188ecce2a…

MALICIOUS

PDF

50.3 KB Created: 2020-08-06 00:45:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 888468f307b2281b27d3f14c273a436e SHA-1: a6324345f188223c202bac591358498380c1cf79 SHA-256: 4b0315a188ecce2ae5fcbbe9da5edb9af10223739b7b409f4334811e22c68e7d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.com/pify?keyword=8th+grade+math+practice+problems+pdf'. This indicates a social engineering lure, likely to direct users to malicious content or phishing sites. The document body, though heavily corrupted, contains the same keyword, reinforcing the lure. The presence of numerous other PDF links suggests a link farm or SEO poisoning attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=8th+grade+math+practice+problems+pdf
    • http://files.positivelypolyanna.net/uploads/1/3/0/9/130969390/vinopojonapolup-pefamepi.pdf
    • http://zotolufa.uaassociation.org/uploads/1/3/0/7/130775320/kopuriw.pdf
    • http://files.starlit-lands.com/uploads/1/3/0/7/130775387/pukudubipi.pdf
    • http://files.hairandmakeupbyalicia.com/uploads/1/3/0/7/130739309/5defd.pdf
    • http://files.laciegandyphotography.com/uploads/1/3/0/7/130739693/rujezofi.pdf
    • https://cdn.shopify.com/s/files/1/0440/5025/1941/files/toduwepepadutefefozoturuk.pdf
    • https://cdn.shopify.com/s/files/1/0438/4882/7040/files/26877762056.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/80170273674.pdf
    • https://cdn.shopify.com/s/files/1/0435/2986/3320/files/busonid_spray_nasal_bula.pdf
    • https://cdn.shopify.com/s/files/1/0439/6387/5486/files/fomixizifusi.pdf
    • https://cdn.shopify.com/s/files/1/0429/5357/2515/files/muwajotisoselasud.pdf
    • https://cdn.shopify.com/s/files/1/0432/0506/6913/files/juzisodobimalelavipomodu.pdf
    • https://cdn.shopify.com/s/files/1/0445/9918/1476/files/ecology_textbook_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0437/6756/2392/files/97539788959.pdf
    • https://cdn.shopify.com/s/files/1/0431/0342/0570/files/76299251603.pdf
    • https://cdn.shopify.com/s/files/1/0432/6473/7433/files/74485778925.pdf
    • https://cdn.shopify.com/s/files/1/0431/1800/2343/files/50509459291.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000085de.bin
7182bf55739dc46941276a2faa1a2c77664ea0b97b1958e00c9bb969d2e7df67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85DE 5808 bytes
font_01_sfnt_off0000996c.bin
c22640fb6ac183a04b15535f96567c1231424065430bd6c4f017af788bcc73e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x996C 10152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.