Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a0ae30c158ee820…

MALICIOUS

PDF

60.2 KB Created: 2020-08-31 06:29:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 892bfffc51060d3e877fd6fad7d446fa SHA-1: 2cddaaac64dcad7d289b06d7743fb8f11783c68a SHA-256: 8a0ae30c158ee820fd06bc57436a3d721effda004832539f1afe5505fff5a642
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, identified as a 'PDF SEO Link Farm'. One of these links, 'https://ttraff.com/wix?keyword=intermediate+algebra+7th+edition+robert+blitzer', is flagged as a malicious redirector. This suggests the document's primary purpose is to lure users into clicking malicious links, likely leading to phishing pages or malware downloads.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=intermediate+algebra+7th+edition+robert+blitzer
    • https://static.usrfiles.com/ugd/b8bbd7_4a77f82f6dfd4695a9ab311f0b2e1c52.pdf
    • https://static.usrfiles.com/ugd/b8c837_f5d37feffc15469badd09f3a45dd958d.pdf
    • https://static.usrfiles.com/ugd/d99ef3_be2bd2704f1d4779a4321744e64f4afc.pdf
    • https://static.usrfiles.com/ugd/a44510_56c6fa99be3e4929928ee2dfeb0b22bd.pdf
    • https://static.usrfiles.com/ugd/9c0842_fbf0150fba1b4285b7e880a43fdf05f2.pdf
    • https://static.usrfiles.com/ugd/b8c837_ef9bff7715084d1098bf4381f9438443.pdf
    • https://static.usrfiles.com/ugd/5ed537_38d61798f7cb4e999277d47798585e8f.pdf
    • https://static.usrfiles.com/ugd/3aee12_483c893cf2f3468d8bd4dd04470f304c.pdf
    • https://static.usrfiles.com/ugd/b8c837_2a61fc3bb1214983a4047278be7b03db.pdf
    • https://static.usrfiles.com/ugd/b7ed05_52f5cf7e3eda4272aa1e87812dfc8cf8.pdf
    • https://static.usrfiles.com/ugd/04e6f9_0d03c6bdb90f4eb3935e7bdd6a8b2403.pdf
    • https://static.usrfiles.com/ugd/87a178_6ee26cfcc9784c34923b9a5a132b3d42.pdf
    • https://static.usrfiles.com/ugd/b8c837_b8971dc1ba2d4eb3bac7a08742d40ac9.pdf
    • https://static.usrfiles.com/ugd/8127dd_d2f1114d168b438eab62d2a36b97acf3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009641.bin
f9111ca69dee1a39bd6591887afb7b551cf4ba456105662b5f083055d92e39bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9641 5056 bytes
font_01_sfnt_off0000a736.bin
e6215d1783361aba86b3ae153eae86f6683b525761883408d81d54a8ca4871bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA736 14964 bytes
font_02_sfnt_off0000d56b.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD56B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.