Malicious PDF — malware analysis report

Static analysis result for SHA-256 840b20bd4c47aeb9…

MALICIOUS

PDF

64.0 KB Created: 2020-08-31 15:58:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d5eb9a15aca2ef6c0c4bfb15e049e07d SHA-1: e092de2adc539f25614e1b6b13be0e31c56d9eda SHA-256: 840b20bd4c47aeb92465e8fad89aebd69e0d8a92a62c63b42600aeffd842e47b
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a redirector URL, which is a common technique for delivering malicious payloads. The document body, though heavily obfuscated, contains text related to an 'answer key' and the URL itself is parameterized with 'fts answer key 2019 sst general', suggesting a lure to trick users into clicking. The PDF also contains a large number of external links, indicating a link farm strategy to potentially distribute malware or phish for credentials.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=fts+answer+key+2019+sst+general
    • https://cdn.shopify.com/s/files/1/0434/8100/6244/files/91462448076.pdf
    • https://cdn.shopify.com/s/files/1/0433/4649/3605/files/46810669710.pdf
    • https://cdn.shopify.com/s/files/1/0432/3803/1518/files/motilufukatamerilepu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/niriliruvurufuwupaku.pdf
    • https://cdn.shopify.com/s/files/1/0429/9826/8065/files/wadijoduwovoxis.pdf
    • https://cdn.shopify.com/s/files/1/0430/2258/1923/files/risubazaxumusamogux.pdf
    • https://static.usrfiles.com/ugd/3ce946_d43940ca7a4a499c8c8026146239d35b.pdf
    • https://static.usrfiles.com/ugd/7baf93_2eb4895e017f4421b202b5dbdc1a13d5.pdf
    • https://static.usrfiles.com/ugd/73f3b0_f12f44f43b2048ceb462f9f77bd911a1.pdf
    • https://static.usrfiles.com/ugd/b8c837_e92078842fa141ccbf09640afcee7c59.pdf
    • https://cdn.shopify.com/s/files/1/0429/5829/1093/files/72492899467.pdf
    • https://cdn.shopify.com/s/files/1/0428/6929/3215/files/algebraic_geometry_vakil.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0434/8100/6244/files/91462448076.pd

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ba82.bin
50a48086b0f5b7ce2ce0b22ba2d13dfb16e7636686829e71623b4824e441d32e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBA82 5548 bytes
font_01_sfnt_off0000cd9a.bin
0851affa78186d7dc9f345b7fc6f6bb901570e6eaded3dd5b789e54f4772d851		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCD9A 11172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.