Malicious PDF — malware analysis report

Static analysis result for SHA-256 926ed3c7afdd6b00…

MALICIOUS

PDF

74.0 KB Created: 2020-09-20 00:13:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 96403358628f3c2439e15d0176f7913d SHA-1: c2b30bf7bdcf8b600550ad0f2de75f9cb6449a45 SHA-256: 926ed3c7afdd6b009095c89f6eab5885e9b378f5695ebd0bdacdcf298079e665
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.001 Malicious Link

The PDF file contains a mass of external links, impersonating a cloud document lure to trick users into clicking. One critical heuristic identified a link to a known malicious redirector infrastructure, specifically 'https://ttraff.link/wix?keyword=google+educator+certification+study+guide'. This suggests the primary goal is to lead the user to a malicious website, likely for phishing or malware delivery. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Cloud document impersonation lure medium SE_CLOUD_DOC_LURE
    Document impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=google+educator+certification+study+guide
    • http://nujewep.ingelafurustig.com/uploads/1/3/1/4/131407552/d2ca7.pdf
    • http://figog.francisdesignworks.com/uploads/1/3/1/3/131384432/jiposemavagugu-sawusawujaleke-kezobifizuxisa-pulafap.pdf
    • http://files.garyfrymusic.com/uploads/1/3/1/6/131636764/gateda.pdf
    • http://files.msdgloria.com/uploads/1/3/0/7/130775297/fefiwikenugefuw-jufejimolabepo-vezisup-rokazidonuv.pdf
    • http://files.fontington.net/uploads/1/3/0/9/130969535/a38afe0ffaa1.pdf
    • https://2259d99e-1e0e-4a37-8c8d-df95770127ff.filesusr.com/ugd/a32c20_1b117e8d591f4580a610be2a397833dd.pdf?index=true
    • https://86158cac-c60d-418e-b40c-87b2c5e0a3fd.filesusr.com/ugd/ccf397_6fd5b4d9526e497ab06985e0980ae196.pdf?index=true
    • https://5f45e89e-13df-4982-8c35-4b8537887425.filesusr.com/ugd/e0d0cf_26df0be0a42d4908aa4d7e141b14ea71.pdf?index=true
    • https://8f0ed8ff-ab84-4665-84a8-979a2a9e5e3e.filesusr.com/ugd/0f9ef0_effec43a9a7b4d43a89109b9acbea8ba.pdf?index=true
    • https://8cb6ef6c-7a06-451e-b52c-e9a5e0537981.filesusr.com/ugd/2ca22b_1a510996946d4299a58f318139529725.pdf?index=true
    • https://f9e89be4-24c2-4400-94d8-225099426ac4.filesusr.com/ugd/5a4aad_3a0fc2f078f7439ab255fecd6e722dd7.pdf?index=true
    • https://304dcf3a-aff3-465a-ab9e-6b9b052446f9.filesusr.com/ugd/3f80ec_82abba1027a94b4da89d826c05fdaf82.pdf?index=true
    • https://ba7d3958-980a-402c-9c0f-a1c4b47d035b.filesusr.com/ugd/3e7897_844cc4f97f0b42b0a919959f13d22520.pdf?index=true
    • https://23ec23cd-40ad-42f1-a7af-c11efdaf0c53.filesusr.com/ugd/c57cae_efdb0373c1bd4fd6b24b48240645be7d.pdf?index=true
    • https://fbe7f7e7-04fe-476e-ad5d-d0477d7e1eb3.filesusr.com/ugd/b7082a_b501cabc1bc749ab80cff3a5f858ce66.pdf?index=true
    • https://c4aab23b-8eac-4344-952a-f51684cbe4c1.filesusr.com/ugd/760a88_1aa94d90775a481d9e48c97b56cfc817.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e306.bin
02611f8f6a08afd08b5fb1b924111b777a579cb443cb935eba2839fe80fc5290		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE306 5320 bytes
font_01_sfnt_off0000f53e.bin
7f32e8648122593388ee37855916ee18aacf111196322b258cd60ae34794012f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF53E 11312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.