Malicious PDF — malware analysis report

Static analysis result for SHA-256 575a739a9b790656…

MALICIOUS

PDF

35.0 KB Created: 2020-09-16 15:58:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 46c9e2f4277af4f47602c999209f5829 SHA-1: 0ddae36a6d7f074a7b4935a350e570737aad2f63 SHA-256: 575a739a9b790656cc6ed43aa0b0810ed5c3f987119c930ed77b6230aa0401f2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm and a direct link to a known malicious redirector, disguised as an educational worksheet. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK and PDF_SEO_LINK_FARM indicate the document's intent to redirect users to malicious infrastructure. The embedded URLs are likely part of a phishing or malware distribution scheme.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=volume+of+cylinders+and+rectangular+prisms+worksheet
    • http://files.bahainorthflorida.com/uploads/1/3/1/4/131438062/ruborumure-pujikiva-tobose.pdf
    • http://files.quitosltd.com/uploads/1/3/2/6/132681938/5b6a0c74.pdf
    • http://powak.laslenguitasclasses.com/uploads/1/3/0/9/130968996/6187783.pdf
    • http://siweb.carolmeadsart.com/uploads/1/3/1/4/131453960/40bac6d1884291b.pdf
    • http://bumibezo.nejcrwc.com/uploads/1/3/0/7/130739235/kamikifo.pdf
    • https://cdn.shopify.com/s/files/1/0429/4279/1839/files/bank_secrecy_act_full.pdf
    • https://3d5b0252-70c3-4101-8ee6-f43234f73917.filesusr.com/ugd/2994dd_b06afcafc960404d83404fd1bd266119.pdf?index=true
    • https://94b3b21d-14ee-4d2b-a80f-d993f6e6c342.filesusr.com/ugd/8bf3fc_30acbcf13065495898cd4174eed0d719.pdf?index=true
    • https://5ea413f3-7c38-460c-b283-62d744c7cefc.filesusr.com/ugd/80bfa9_cf8eb9b8920940e79f4332959a65035b.pdf?index=true
    • https://46bd80b1-0df3-4b90-bd10-b66414f5ba08.filesusr.com/ugd/221eaa_c4bdd0c60cd1461aa4ed16bf148626df.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a16.bin
06896cdce640fa25da259ad02c05dc9bc365c02525f3bc2fa159ceacf171fcc6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A16 5792 bytes
font_01_sfnt_off00005dc4.bin
52312746d2e65d45c25073e4e4c8b2a77ed9747bb111218fc26721f2d5b62ecc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DC4 9740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.