Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e695e677ef86afe…

MALICIOUS

PDF

76.2 KB Created: 2020-09-18 10:40:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 61fa8e959c75e011fe50cfcd96405f03 SHA-1: 2a97429a9c0ea2eb701634361b549943c9636418 SHA-256: 4e695e677ef86afe6be6072f858fd7eddfefa67ddca8ef999f914391deb6cf43
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to the presence of a large number of external links, a common tactic for SEO poisoning or distributing malicious content. One of the embedded URLs, 'https://ttraff.me/wix?keyword=capitulo+3b-2+realidades+1+answers', is flagged as a known malicious redirector. The document body contains garbled text along with several URLs, reinforcing the idea that the document's primary purpose is to redirect users to external, potentially harmful, sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=capitulo+3b-2+realidades+1+answers
    • http://fevoze.classicalcollege.com/uploads/1/3/1/6/131637043/sezarevotusoder.pdf
    • http://files.paigetheyogi.com/uploads/1/3/0/8/130874064/f856b.pdf
    • http://zagonomij.maeganabel.com/uploads/1/3/1/0/131070364/8176448.pdf
    • http://musijumiz.nollcompliance.com/uploads/1/3/2/3/132302956/3324672.pdf
    • http://files.rcdavis-tellinstories.com/uploads/1/3/1/3/131383624/ebc2656e5828c5.pdf
    • https://91215beb-0c75-4fac-a545-2c637c6c3adb.filesusr.com/ugd/b1277d_481b1fa35919403cb394f04b36f0c121.pdf?index=true
    • https://13bd497f-546f-4215-ab07-0f97fb77c593.filesusr.com/ugd/f390e7_4bdc85b8bb0e4911b0db00520ce4e036.pdf?index=true
    • https://229cea0a-a0b7-4a5f-874e-3e49aeaddb60.filesusr.com/ugd/96a426_2a4d8a48e1984178a5fa6b95892374c3.pdf?index=true
    • https://eb80fe11-f5b3-457c-b4d2-79f03119e354.filesusr.com/ugd/24deb6_8949039002e9465a99d1b3fc89b52671.pdf?index=true
    • https://eda6f83c-2ce1-4040-a613-aefe4e981092.filesusr.com/ugd/5f4192_7d3c92fa7c094a94a06d2f6151319055.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0444/6837/1623/files/causes_of_congestive_cardiac_failure.pdf
    • https://cdn.shopify.com/s/files/1/0431/8714/2820/files/50384152785.pdf
    • https://cdn.shopify.com/s/files/1/0464/8914/1416/files/22376674456.pdf
    • https://cdn.shopify.com/s/files/1/0433/6415/5560/files/lamabuxowelu.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/99237037604.pdf
    • https://9958ebab-82ae-4f3d-b279-4b18de0fb3b5.filesusr.com/ugd/e80f4c_67177fe3c292445697f2d9fee3b37e46.pdf?index=true
    • https://0e529496-ef39-48fd-8140-6af8c01114c2.filesusr.com/ugd/91e123_915f93b69a1a4454adff83453a8352ec.pdf?index=true
    • https://f7f58ea5-47e7-40bd-bf0f-d005b9b39701.filesusr.com/ugd/a4c1fa_0158d039ffe2458ab32e734554113b73.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cf95.bin
0719172a275e271bc682ef1b1e2ca156931c7783b61d17f0db943932267fc22f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF95 5468 bytes
font_01_sfnt_off0000e24e.bin
b7843d74a256a2d2cbe4ea358d827c4820f5108b49de0e9590c375648ad0dff4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE24E 13644 bytes
font_02_sfnt_off00010e7a.bin
9559dd1bd908241551916101fda3d445a26f5c4b506a1423f23393456f9d5940		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E7A 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.