Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c1972d9482d831d…

MALICIOUS

PDF

36.1 KB Created: 2020-08-31 22:17:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8f58a6f5231995d320da73b218353aa8 SHA-1: 1495a571a5f8bb31d8170950a9746115b4a2d314 SHA-256: 4c1972d9482d831d07f99658e77c0f378c42346803ac5b1d871fe4a6e5a6e3c6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link that redirects to known malicious infrastructure. The document body, though heavily obfuscated, contains text related to a 'fed up documentary student worksheet' and includes the malicious URL. This suggests a social engineering lure to trick the user into clicking the link, likely leading to a phishing page or malware download.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=fed+up+documentary+student+worksheet
    • https://static.usrfiles.com/ugd/b8c837_263d4133e17c4f9e95aaa360348159d3.pdf
    • https://static.usrfiles.com/ugd/b8c837_93612f386d804c43a3f57a3a6024b56b.pdf
    • https://static.usrfiles.com/ugd/0ad6c7_a0bb3d313bd448b1aba4808f4fb76dba.pdf
    • https://static.usrfiles.com/ugd/b8c837_42a66ad919d34360ae6ce3c67c1ee1a9.pdf
    • https://static.usrfiles.com/ugd/856cea_3934d71c7c6243b78a021027357f6747.pdf
    • https://static.usrfiles.com/ugd/1813b3_dd1f4aadfdcb47d29edbe5a391d77b71.pdf
    • https://static.usrfiles.com/ugd/f14cf6_a0f78bad0def4db8961339bce6997a88.pdf
    • https://static.usrfiles.com/ugd/7ea8bb_a27c81aa79b14dcc9bed2907ebc8cfe6.pdf
    • https://static.usrfiles.com/ugd/111c46_c8e91dc0935e4bf7bce6d1c0473bb820.pdf
    • https://static.usrfiles.com/ugd/b8c837_22369135569249eba7d94d423d4ad4c9.pdf
    • https://static.usrfiles.com/ugd/fb83f1_2a38b2c8fcfe486487b0fba03cf37e90.pdf
    • https://static.usrfiles.com/ugd/50c35f_4d0b328e4e4e4a69a3e7291b68db1264.pdf
    • https://static.usrfiles.com/ugd/0c4177_151b4919bf5e47bca88fbba8ae135bae.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004ea4.bin
f2d189bbd38e2c2bf095cc69bc65402f1c735dba94d060ce38610b9b85ec5872		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4EA4 5492 bytes
font_01_sfnt_off0000613f.bin
26af081da0508c08dbfd60dd3539d4faa8dfc232543b2e36d50bf4cb815614bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x613F 10112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.