Malicious PDF — malware analysis report

Static analysis result for SHA-256 8dda087c8713d279…

MALICIOUS

PDF

43.7 KB Created: 2020-09-01 01:39:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4108c2b3b4c6c34dcbb117af279a2802 SHA-1: 9588b57610a6872d54c04f5aafc92bf09e57f409 SHA-256: 8dda087c8713d27912a71a2403f2d970d4e5914399e509980d22a60a16bdd355
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded links, with a critical heuristic firing indicating a PDF link farm. One of the primary links, https://ttraff.cc/wix?keyword=the+rock+cycle+worksheet+answers+key, is flagged as malicious. The document body, though heavily obfuscated, also contains this URL, suggesting the document's purpose is to lure users to malicious sites by appearing to offer legitimate content like worksheets.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=the+rock+cycle+worksheet+answers+key
    • https://static.usrfiles.com/ugd/55f640_4e7427e502784294b77212f8328eb042.pdf
    • https://static.usrfiles.com/ugd/b916f4_fadde22b0c2043668b8242e73a61cd6a.pdf
    • https://static.usrfiles.com/ugd/b8c837_9d87e6d813ea4411828a438f86427d85.pdf
    • https://cdn.shopify.com/s/files/1/0435/4503/4911/files/bukhari_shareef_hadees_download.pdf
    • https://cdn.shopify.com/s/files/1/0464/9202/5000/files/yardworks_snowblower_manual.pdf
    • https://cdn.shopify.com/s/files/1/0430/8434/9591/files/37777443618.pdf
    • https://cdn.shopify.com/s/files/1/0464/3068/3288/files/raxege.pdf
    • https://static.usrfiles.com/ugd/b8c837_4985129fd57a4576b36b95f300dba106.pdf
    • https://static.usrfiles.com/ugd/b8c837_a758d134404a45d2b039a9c8f01d132b.pdf
    • https://static.usrfiles.com/ugd/aa14a9_551981826aa74cdb9023312bf8aebe91.pdf
    • https://static.usrfiles.com/ugd/d2cc1f_972073b0f6cd41458fa3a05944e045b8.pdf
    • https://static.usrfiles.com/ugd/b8c837_e7a8f57579a54e8bb5522ce5f8d24548.pdf
    • https://static.usrfiles.com/ugd/b8c837_0ee62c131f8448449de202204ebdcb1c.pdf
    • https://static.usrfiles.com/ugd/b8c837_c7a1767b0ebf4c67a7d7807bdf1b2781.pdf
    • https://static.usrfiles.com/ugd/5ecadc_34591123bb994c9dab226aa60b9bafad.pdf
    • https://static.usrfiles.com/ugd/b8c837_6b55a81714a74976b0b84c4e3d273943.pdf
    • https://static.usrfiles.com/ugd/3ceeb9_029957eb30e8401496d7896eab54abce.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d4d.bin
e89ba2985b258e997ff458cc85d1058923860164a1770b1f73d4098fc736f18f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D4D 5092 bytes
font_01_sfnt_off00007eaf.bin
98cf1f84543a15578efe569cfd652a6662fe1a04687322af9087a85a94bd1a30		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EAF 10240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.