Malicious PDF — malware analysis report

Static analysis result for SHA-256 4da5c03cfc027435…

MALICIOUS

PDF

45.8 KB Created: 2020-09-17 16:58:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 29f38599f3c934a05c67dde774cce947 SHA-1: 82235cf44c8a4a6cea6b96b1b75c3716a05dba0f SHA-256: 4da5c03cfc027435bd5df5a8bd69bb8b5b706b9641bbedde3369bc46bc9a6427
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a lure related to 'Prentice Hall Gold Algebra 1 Chapter 6-2 Answer Key' and embeds multiple links. One critical heuristic firing indicates a PDF link to known malicious redirector infrastructure at 'ttraff.me'. The document body, though heavily obfuscated, also contains this URL. The presence of a link farm heuristic further suggests a malicious intent to redirect users. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=prentice+hall+gold+algebra+1+chapter+6-2+answer+key
    • https://802ccb87-75d7-474b-b296-7a65dbf1db10.filesusr.com/ugd/764aaa_7b6dcf54f8574ab0b45552d1850af62e.pdf?index=true
    • https://0bfee57d-7321-4d14-82cc-3f834c2badd2.filesusr.com/ugd/29c71c_1719086e39c04abebb390a03880285d1.pdf?index=true
    • https://7b641144-a502-4826-bab8-d478ea880b3b.filesusr.com/ugd/590778_6e1184d858d14bfc8275809c366422c8.pdf?index=true
    • https://190b2c5e-7c68-47ee-a0b1-c046fe07c68b.filesusr.com/ugd/96768c_25e6ed20a2464f51a5a9ca73d28113a8.pdf?index=true
    • https://3400c2ca-414b-4a78-93a7-e2fe1409bccc.filesusr.com/ugd/1c90dc_4da1a5bf43974fbfb146378354a18cf4.pdf?index=true
    • https://644c40af-98b8-4369-8777-ef4f3d0bc0e0.filesusr.com/ugd/ceb2e8_ccf8e9c3884b4c0fa45f0da07699ca96.pdf?index=true
    • https://2675014e-77fd-41c7-a3e5-e1732de00727.filesusr.com/ugd/d8966e_cdf2365d4c284238b6840e7de3fe44db.pdf?index=true
    • https://5c3b4ab3-2815-4a54-bcc2-5f26ae1b6132.filesusr.com/ugd/b65acf_e4dee4aa415a4326bdd4e6962273cec8.pdf?index=true
    • https://c3e89a71-7029-4d87-8118-b3cd79e6d644.filesusr.com/ugd/112488_a36830c270b14ae7be51fbc60a65d058.pdf?index=true
    • https://f2cc733d-e138-4768-92a5-46620d1ae4b7.filesusr.com/ugd/f1d680_bc0351bd8a924e45afcbd00f4ab6e2f3.pdf?index=true
    • https://239b2a3c-f21b-47c7-84e9-11578ba8b900.filesusr.com/ugd/7e6083_33192ba27dac4115a2cab9dac91e9454.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0440/4399/3238/files/fadip.pdf
    • https://cdn.shopify.com/s/files/1/0431/2721/0144/files/dimuweginod.pdf
    • https://cdn.shopify.com/s/files/1/0437/6153/3082/files/83759989369.pdf
    • https://cdn.shopify.com/s/files/1/0433/8070/3382/files/79984374601.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006fd5.bin
98d2b465a186e1d5b67c7dac9411e6912ec44e204968cdffc015968d41adbc1b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FD5 6104 bytes
font_01_sfnt_off000084b1.bin
23cb536c521b2ecfe443f8aea256b12cd38b7f5be6fb789c5f6ba373cfce2ca2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84B1 11048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.