Malicious PDF — malware analysis report

Static analysis result for SHA-256 8ae7ef0c31f156a6…

MALICIOUS

PDF

50.5 KB Created: 2020-09-17 04:57:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1e734bcbeb61deafbe7dfc27156ff9f5 SHA-1: 280b2f57d928e32b85572d6ecad1ac273a13c101 SHA-256: 8ae7ef0c31f156a65f2f98f69d202a75374a59de58da701f078ac99b42db7c3c
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links designed to create a link farm, a common tactic for SEO manipulation and potentially distributing malicious content. One critical heuristic identified a link to a known malicious redirector, which is further supported by the document body containing a lure related to 'photomath on computer unblocked' and a URL that appears to be part of an advance-fee scam. The document's structure and content strongly suggest a social engineering attack aimed at tricking users into visiting malicious websites.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=photomath+on+computer+unblocked
    • http://files.cappuccinoandcornfields.com/uploads/1/3/1/0/131069893/texomutalosasemajot.pdf
    • http://files.vikkifieldsartist.com/uploads/1/3/1/8/131856852/5bb932e0eb99c4a.pdf
    • http://bexare.kimsheavenlyblingbash.com/uploads/1/3/1/4/131406532/3988754.pdf
    • http://jeramedun.elizabethsfarmhouse.com/uploads/1/3/0/7/130775851/7703271.pdf
    • http://divonilif.designsbydiblankets.com/uploads/1/3/0/8/130874493/e9648c.pdf
    • http://jibivos.carpetcleaningstpete.com/uploads/1/3/0/7/130738948/zikuvunowimabafasor.pdf
    • http://files.northdevonlabour.org/uploads/1/3/1/3/131382092/ee80846440611a.pdf
    • https://9d595ece-74e5-4f42-b608-5d6e977d65df.filesusr.com/ugd/1a1092_4de2d0e36bef4ee59fafb21ff88b2233.pdf?index=true
    • https://4b8cd296-6cd2-4d01-af18-08c599fffc01.filesusr.com/ugd/bfbc46_ac7a6b961023442da99d7ce8398f77df.pdf?index=true
    • https://12586191-265b-43ac-a72a-f2d620895d99.filesusr.com/ugd/5e81b9_b380ca67b8bb4ccd82b8396525204d85.pdf?index=true
    • https://d4290c44-37cd-4b05-b0ac-32b91a74fc31.filesusr.com/ugd/7c30af_a3818c86ea8c4646bfe0ab723f4c1914.pdf?index=true
    • https://6fd3b0ee-43fa-45e6-b029-34fa39f0aec7.filesusr.com/ugd/d2751c_982facf72add4b74abe2cdd29fccf62f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063f1.bin
30a620ffbf1f61856cfcd1a0ebb5b76a463b4db96d15b61e782ba30a54a0b67d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63F1 5176 bytes
font_01_sfnt_off0000754e.bin
a7015ee379d50dc6afffa558b09b12acc760127dc28c125e79d60a607666ad29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x754E 10728 bytes
font_02_sfnt_off00009a1a.bin
2a5f1667c2e343500efde63e3dd6a136498333968b1680966ac5eb34589f1174		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A1A 16144 bytes
font_03_sfnt_off0000af19.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF19 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.