Malicious PDF — malware analysis report

Static analysis result for SHA-256 9529c92fa2a11f95…

MALICIOUS

PDF

38.9 KB Created: 2020-09-14 02:33:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6cd29fc08d1875c2b16817bd4f69e3dc SHA-1: ff432abca8bae562eb065d9f65e54c2f862a77e3 SHA-256: 9529c92fa2a11f95ae01a02a2f24fcca71bff71c78602b659228299534520c2f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK pointing to 'https://ttraff.me/pify?keyword=codehs+methods+answer+key'. This indicates the document is designed to redirect users to potentially malicious content. The document body, though heavily obfuscated, contains text fragments that, when combined with the embedded links, suggest a lure related to 'Codehs methods answer key'. The presence of a link farm heuristic further supports the malicious intent of distributing links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=codehs+methods+answer+key
    • http://files.bonniesmart.com/uploads/1/3/1/8/131871717/750128.pdf
    • http://fitesifir.sweetcitymicros.com/uploads/1/3/0/7/130776330/sunadezude-kexosalevi-juzofi.pdf
    • http://files.alexarainewright.com/uploads/1/3/1/3/131379894/kavojusagoposinaret.pdf
    • http://files.tilitoimistoanjasimola.com/uploads/1/3/2/6/132682685/2126239.pdf
    • http://zorumot.yrpm.ca/uploads/1/3/0/7/130775565/763de2.pdf
    • https://static.usrfiles.com/ugd/fd3290_37301fb41cf94d06b1ec50904fb8a4e5.pdf
    • https://static.usrfiles.com/ugd/b48b60_8b357425a4294a0aa3e79eb73965e82f.pdf
    • https://cdn.shopify.com/s/files/1/0429/5704/5913/files/nujeguvuxu.pdf
    • https://cdn.shopify.com/s/files/1/0431/8094/9659/files/tangled_healing_song.pdf
    • https://cdn.shopify.com/s/files/1/0482/9446/1601/files/70132692162.pdf
    • https://cdn.shopify.com/s/files/1/0433/0058/5625/files/cowboys_vs_eagles_injury_report.pdf
    • https://cdn.shopify.com/s/files/1/0433/5920/7579/files/33244717884.pdf
    • https://cdn.shopify.com/s/files/1/0427/9074/8316/files/gosilo.pdf
    • https://cdn.shopify.com/s/files/1/0436/3563/8425/files/36948811013.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005acf.bin
fad07aec425f7604665ecdf5de62a835e1f4246a9ec84b901f08b19c5110a097		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5ACF 5196 bytes
font_01_sfnt_off00006c59.bin
d95a2af5f95d0a5513d668d943c54056913d2f3f2ad6c15f20b96c896bbd25d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C59 10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.