Malicious PDF — malware analysis report

Static analysis result for SHA-256 7acd1cd7e13b6d44…

MALICIOUS

PDF

39.6 KB Created: 2020-09-18 10:56:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 639eae303ac6acfe89af67048df0cc1b SHA-1: bbad10f18ca8907ca3ab7c8d40d27c726cc1f44b SHA-256: 7acd1cd7e13b6d44319b534dadcfb6560fab2fc8217c5589414bbefb4c34f875
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, with one specifically pointing to a known malicious redirector. The document body text, though garbled, includes the URL 'https://ttraff.link/wix?keyword=5th+grade+science+sound+study+guide', suggesting a lure to a malicious site disguised as educational material. The presence of numerous PDF links indicates a link farm strategy, likely for SEO poisoning or to distribute further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=5th+grade+science+sound+study+guide
    • https://cdn.shopify.com/s/files/1/0468/0302/6071/files/37086802647.pdf
    • https://cdn.shopify.com/s/files/1/0434/1691/2023/files/pijitegot.pdf
    • https://cdn.shopify.com/s/files/1/0438/3775/1456/files/95644082137.pdf
    • https://ffe6caff-6118-449d-8681-beaf20fb5f64.filesusr.com/ugd/dcbeda_4485fc7882114e85a890978828d64292.pdf?index=true
    • https://4b7e4693-2411-4c5d-a6ed-8d4b65f92583.filesusr.com/ugd/cc03df_6ae717e33ea14846a8a3e11cc5f8292f.pdf?index=true
    • https://07d93293-2483-426c-be32-d0af8f7c4a55.filesusr.com/ugd/162fe6_37129f72c5c74ed79baa4ceddd6fdd1f.pdf?index=true
    • https://6bab8047-d337-4196-a542-ddd20d39571e.filesusr.com/ugd/ae15ca_aa0e1fe52c6948379c755a27296de1e9.pdf?index=true
    • https://30007a87-6693-4538-8754-16c40d4b16cb.filesusr.com/ugd/003b86_94ca3da38fab4b99b688c63f373b2f32.pdf?index=true
    • https://e6e8fab2-a72c-46e7-a7ce-085fe8ccb4c1.filesusr.com/ugd/04c368_849dd854ae7143958a42f025545b6249.pdf?index=true
    • https://15ce2201-0677-48d2-814d-3ab9f738396b.filesusr.com/ugd/38eac1_454525c119b145a396f7facd5cddb576.pdf?index=true
    • https://933a199c-51fa-43cb-9ed8-150ff84be78f.filesusr.com/ugd/76156b_b21d17ce4114418e905725bbda22bd82.pdf?index=true
    • https://4c185864-1fba-4209-a122-8f80d50c621c.filesusr.com/ugd/bc0b97_19a8061498f644259eab2d0af2bc79ec.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005cbf.bin
c1b71899aca111b814baa182feb21082691660eb3b56069aab876c06b52fca01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CBF 5300 bytes
font_01_sfnt_off00006ec7.bin
e45663539750894e34c7795cf84e4398d04c86a124f70bf80bbe734efd900405		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EC7 10384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.