Malicious PDF — malware analysis report

Static analysis result for SHA-256 4eea24193249e168…

MALICIOUS

PDF

40.4 KB Created: 2020-09-11 13:04:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5081ab49170c0ef96370c4af8d50986a SHA-1: 22e9c7af36d39fa304b8d060a777791c8e93aec0 SHA-256: 4eea24193249e168d844ae3c93d4fc4739af8f8a698fb60fe266aad87986ef84
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector. The document body, though corrupted, contains text suggesting it is a worksheet for grade 1 students, likely a lure. The primary malicious IOC is the redirector URL, which is designed to lead the user to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=english+articles+worksheet+for+grade+1
    • https://static.usrfiles.com/ugd/0bcf16_f928af110ed34374a1922e28ec4dab04.pdf
    • https://static.usrfiles.com/ugd/b8c837_709d2b4d8b6d45a790c0f99b97b2bc98.pdf
    • https://static.usrfiles.com/ugd/6260fe_fc9c095442dd49178a5cad1461308846.pdf
    • https://static.usrfiles.com/ugd/50988c_7226e82d79fb4b41ab298a20602e3018.pdf
    • https://static.usrfiles.com/ugd/4d6844_078e7972c9ed4f4c9b8ec75d56207fb3.pdf
    • https://static.usrfiles.com/ugd/1849a1_9130e3f672944b4fa490bdf12cfc4c61.pdf
    • https://static.usrfiles.com/ugd/225520_76417aef2c7e4c77a8416b032ca72715.pdf
    • https://static.usrfiles.com/ugd/3615fb_e87d12876ebb4645babddb6002514f88.pdf
    • https://static.usrfiles.com/ugd/dc98cc_45f8b7d8571749b481338614b810e31c.pdf
    • https://static.usrfiles.com/ugd/436160_bac2a0f4051c4fc687a1656f70f9ee75.pdf
    • https://static.usrfiles.com/ugd/1849a1_81eef799214c4a3ab64c63804e6bb308.pdf
    • https://static.usrfiles.com/ugd/5ea4d5_4b9b45e9d1f4455b9e8c952b574ad5ed.pdf
    • https://static.usrfiles.com/ugd/cbdbb6_88cddfc508ea4fcd90710949499842e0.pdf
    • https://static.usrfiles.com/ugd/be5703_23fea3d59e51492388ae24da8413cf79.pdf
    • https://static.usrfiles.com/ugd/4aae87_85f8da3d56ae4ba7aff3df501b80a704.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ec7.bin
802f94e522768e6816a2365af4c485e47805139b33beec57f844802645f1c045		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EC7 5448 bytes
font_01_sfnt_off0000716a.bin
eec994edfd45ac92fd29b3e82d5833bfa25f6e1a9e23693139c410334963c281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x716A 10348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.