Malicious PDF — malware analysis report

Static analysis result for SHA-256 82af42a2cb038665…

MALICIOUS

PDF

155.8 KB Created: 2020-08-15 01:03:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 448b3184fdde5c5b17100a04fe307ccb SHA-1: 69bdc40c123b17359092e07a4b50537cbb9af60f SHA-256: 82af42a2cb038665f1d13abdb45cc908dd86abc63f9d92680079a199451cd722
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, which points to a URL designed to impersonate a Cambridge FCE answer sheet. This URL is the primary indicator of malicious intent, likely serving as a lure to a phishing or malware distribution site. No scripts were extracted, and the document body is heavily obfuscated, but the presence of the malicious URL strongly suggests a phishing or social engineering attack.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=cambridge+fce+answer+sheet+2015
    • http://files.batmq.net/uploads/1/3/0/8/130874495/safunanun_wokarasage_riwekufawumuw.pdf
    • http://pepud.aaronmhoffman.com/uploads/1/3/1/6/131606248/nazate-jaraki-dopatarena.pdf
    • http://files.collegeandwainsfort.net/uploads/1/3/0/8/130814133/wumerolor.pdf
    • https://cdn.shopify.com/s/files/1/0440/7492/6230/files/84487352096.pdf
    • https://cdn.shopify.com/s/files/1/0438/5737/9488/files/zomerojigubaginorolif.pdf
    • https://cdn.shopify.com/s/files/1/0432/0460/8155/files/59212590831.pdf
    • https://cdn.shopify.com/s/files/1/0435/5552/0667/files/10438197329.pdf
    • https://cdn.shopify.com/s/files/1/0431/6594/1917/files/78742430537.pdf
    • https://cdn.shopify.com/s/files/1/0431/1007/2481/files/99754736530.pdf
    • https://cdn.shopify.com/s/files/1/0432/4150/4927/files/atp2_01._3_intelligence_preparation_of_the_battlefield_battlespace.pdf
    • https://cdn.shopify.com/s/files/1/0439/1891/7787/files/24691370167.pdf
    • https://cdn.shopify.com/s/files/1/0429/0969/6156/files/balanitis_causas.pdf
    • https://cdn.shopify.com/s/files/1/0429/7257/7946/files/zalekoruvide.pdf
    • https://cdn.shopify.com/s/files/1/0433/3171/5225/files/daliripogima.pdf
    • https://cdn.shopify.com/s/files/1/0433/6254/9910/files/64530585169.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001d88f.bin
f30442f9f119348f742e137e29bd5965c4cb9d20dd5015d0100383543333356e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D88F 18016 bytes
font_01_sfnt_off00020918.bin
065508a4c55527ab0d3923ccc8fde03ef77b62a87463ffd0e376506f5fcf9092		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20918 5992 bytes
font_02_sfnt_off00021d71.bin
1b8d633277b7d74cedfa0f534225149893c8ae809533d77940b3aec5d27e6e2b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21D71 9204 bytes
font_03_sfnt_off00022ffc.bin
cd5e83ff7978f4961716e902b0c6f7f8187e8774e7b44fa617f51affc90ad5a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22FFC 16160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.