Malicious PDF — malware analysis report

Static analysis result for SHA-256 842dc8bb75b2fd9f…

MALICIOUS

PDF

32.8 KB Created: 2020-08-20 22:21:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 68cd7a0533d20eb9232befeb6c216ea0 SHA-1: b8bb01e3d666fcd487d901e193dd8bdf8cd35c4b SHA-256: 842dc8bb75b2fd9fdd84885fd337f610801d6c009ce0dd3a05a837b9d3b0b3dc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing indicating it links to a known malicious redirector. The document body, though heavily obfuscated, contains text related to an 'irony worksheet answer key' and includes the malicious URL. This suggests the document's primary purpose is to trick users into visiting the malicious redirector by posing as educational material. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=irony+worksheet+5+answer+key
    • http://files.rudolfiartworks.com/uploads/1/3/0/8/130813692/disutuwisi_tapedelopujufa.pdf
    • http://sidusawaz.homedefenseshow.com/uploads/1/3/0/7/130776644/jonitanum.pdf
    • http://files.thespacemaker.net/uploads/1/3/1/6/131607185/b640640601.pdf
    • http://files.casaofcentraloregon.org/uploads/1/3/1/3/131398117/zamazusekepapon-tejozupoma.pdf
    • https://cdn.shopify.com/s/files/1/0434/7081/5397/files/xefenuritapanaxufavuzizu.pdf
    • https://cdn.shopify.com/s/files/1/0462/3283/0106/files/zuzodak.pdf
    • https://cdn.shopify.com/s/files/1/0431/7600/1704/files/xosasukuj.pdf
    • https://cdn.shopify.com/s/files/1/0431/7793/5004/files/albumina_humana_grifols_bula.pdf
    • https://cdn.shopify.com/s/files/1/0430/0183/9775/files/zakatuwunakexaboras.pdf
    • https://cdn.shopify.com/s/files/1/0435/5863/3627/files/jivefeme.pdf
    • https://cdn.shopify.com/s/files/1/0433/4885/2894/files/adjournment_application_form.pdf
    • https://cdn.shopify.com/s/files/1/0431/8960/0414/files/divejutajos.pdf
    • https://cdn.shopify.com/s/files/1/0433/6310/6968/files/72054319008.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004565.bin
36fc2b49279fcd7c6713a73a674b1fb902c729712e51232481dffd13e6d53db9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4565 5060 bytes
font_01_sfnt_off000056b5.bin
93fdfe09aa0a36bd222b71e9a462080de026690f56631dc9add964d897a1e412		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56B5 9356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.