Malicious PDF — malware analysis report

Static analysis result for SHA-256 94b7fcd95a35e3c8…

MALICIOUS

PDF

43.7 KB Created: 2020-09-02 13:39:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 94f7cbc21c80dd8d0a0566f9535398dd SHA-1: c89811233a957d88f96a1ab13f356a7dacc5703a SHA-256: 94b7fcd95a35e3c80a9eb6c1ab889722a88b76ed8b020cb2698f7c4be3d2c4a9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with one specifically pointing to a known malicious redirector. The document's content and structure suggest it's part of an SEO link farm designed to drive traffic to malicious sites. The primary attack pattern involves luring users through deceptive content and redirecting them to potentially harmful destinations.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=prepositional+phrase+practice+worksheet+pdf
    • https://cdn.shopify.com/s/files/1/0427/9956/2911/files/kizorewimu.pdf
    • https://cdn.shopify.com/s/files/1/0437/6900/4190/files/android_studio_generate_signed_apk_not_working.pdf
    • https://cdn.shopify.com/s/files/1/0429/7339/7145/files/one_night_ultimate_werewolf_with_pla.pdf
    • https://cdn.shopify.com/s/files/1/0437/7188/7767/files/berliner_platz_1_neu_answer_key.pdf
    • https://cdn.shopify.com/s/files/1/0430/4135/7973/files/gexadefujurerisotamam.pdf
    • https://cdn.shopify.com/s/files/1/0437/9066/3832/files/disalekujojotufijuduniwu.pdf
    • https://cdn.shopify.com/s/files/1/0430/4227/5485/files/la_boite_a_pizza_menu.pdf
    • https://static.usrfiles.com/ugd/58a813_36c5ad5ccd7948ca9f36fb831fcea3ea.pdf
    • https://static.usrfiles.com/ugd/73c254_0250db4ed2cc4bd69ebbb8b269a94385.pdf
    • https://static.usrfiles.com/ugd/a8ca0f_60686c9922c44371b05cbec254fd6cb2.pdf
    • https://static.usrfiles.com/ugd/ae059d_e11b3140749e404d85984f25e47e4e66.pdf
    • https://static.usrfiles.com/ugd/12745a_73937e0741eb424d98d716a689507fd6.pdf
    • https://static.usrfiles.com/ugd/e2f197_de5084d3a52744d28b203b2d4aa60c12.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fb1.bin
3892ab7bc712c5106848d3202a46ce37b3c627ccf52a5694a171a84bd6ef4039		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FB1 5188 bytes
font_01_sfnt_off00007152.bin
e93e2c450f61469b4025e8be9bb88ae3f57270ed2abcedac944b4154b6eb992f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7152 10240 bytes
font_02_sfnt_off000093f9.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93F9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.