Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b1f1564504f4183…

MALICIOUS

PDF

38.3 KB Created: 2020-08-22 04:22:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6150f091da1e197fb50389da61ca19de SHA-1: c322f53a36c0f86343125d6450c86e97750a3cae SHA-256: 4b1f1564504f4183f05c54ba2e51be92f05fe0b33179d7958ae56670d59301ba
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 Command and Scripting Interpreter: PowerShell

The PDF file contains multiple embedded links, with one heuristic identifying a link to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'subjunctive form worksheet ks2' and the malicious URL. The primary attack pattern involves tricking the user into clicking a link that leads to a malicious site, likely for further exploitation or credential harvesting. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=subjunctive+form+worksheet+ks2
    • http://pomefi.collegiatestrat.com/uploads/1/3/1/0/131071157/gamimovus.pdf
    • http://desixe.vahana.ca/uploads/1/3/0/7/130740141/363.pdf
    • https://cdn.shopify.com/s/files/1/0428/8158/1209/files/jipokujeroxasiriworozeko.pdf
    • https://cdn.shopify.com/s/files/1/0428/2135/3635/files/17505329793.pdf
    • https://cdn.shopify.com/s/files/1/0427/5198/3783/files/74369325730.pdf
    • https://cdn.shopify.com/s/files/1/0433/8450/4474/files/impact_of_human_activities_on_the_environment.pdf
    • https://cdn.shopify.com/s/files/1/0429/3384/6175/files/adjective_worksheets_for_grade_2_with_answers.pdf
    • https://cdn.shopify.com/s/files/1/0436/0346/0259/files/33475493916.pdf
    • https://cdn.shopify.com/s/files/1/0438/6072/1829/files/nokamojavixuka.pdf
    • https://cdn.shopify.com/s/files/1/0429/2670/2758/files/61843126658.pdf
    • https://cdn.shopify.com/s/files/1/0432/0290/4222/files/army_ocp_uniform_for_sale.pdf
    • https://cdn.shopify.com/s/files/1/0438/3011/6509/files/arqueologia_industrial.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005768.bin
3ffe7567b93c688af6b11be88c5636078799bdd2ecdf1ad91499b219fb80f024		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5768 5548 bytes
font_01_sfnt_off00006a3b.bin
54c5cd624e5434a6b0a09a1958c8bfffb3074c42eed5b8992f98c9615ee6bd34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A3B 10052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.