Malicious PDF — malware analysis report

Static analysis result for SHA-256 95b676755bf6d4bc…

MALICIOUS

PDF

36.6 KB Created: 2020-09-18 07:12:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 58e89380babf902c55ee98f008138f45 SHA-1: 2ca8c105a5513cc05114c6523017d74686a9f94a SHA-256: 95b676755bf6d4bc41ecc1ef45c30893ba57b1a8fa88ebe0cc9ef333c6b5154f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass of external links, a common technique for SEO poisoning or redirecting users to malicious sites. One prominent link, 'https://ttraff.club/wix?keyword=relative+adverbs+exercises', is identified as a malicious redirector. The document body, though heavily obfuscated, also contains this URL and other PDF links, reinforcing the malicious intent of directing users to potentially harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=relative+adverbs+exercises
    • http://lawiwubed.caremoresa.com/uploads/1/3/0/8/130874601/zafuvu.pdf
    • http://kuverogu.exclusivepet.net/uploads/1/3/1/4/131414019/mofita.pdf
    • http://vanok.shortsafaris.com/uploads/1/3/2/6/132681746/tirufesafe-xurusapedu-rorez.pdf
    • http://files.baretablecatering.com/uploads/1/3/0/8/130873927/vefofalasalewu_tofufa.pdf
    • http://busido.ahmotivation.com/uploads/1/3/2/8/132814930/xiwuxo.pdf
    • https://84abf7c1-f693-4771-b077-0902e66dd354.filesusr.com/ugd/370021_755856a8c5ef4b1f86863b8816ed2694.pdf?index=true
    • https://09452c1b-0b51-46bb-9181-9d755442705e.filesusr.com/ugd/e32576_4e8f113b76c64a558ef64d723b4d0516.pdf?index=true
    • https://1482b4dd-9449-4645-b7d0-1c1dc14e961a.filesusr.com/ugd/dad7b5_28dc3536cf0048e09af58764149d59d0.pdf?index=true
    • https://3f530fd3-2c22-4974-af75-21cbc1fd4fa6.filesusr.com/ugd/696117_1af99600725940798f37523274f81709.pdf?index=true
    • https://18a9b21e-8b51-492e-8aa7-15585000a7a6.filesusr.com/ugd/113e89_90c1b8626f72408b87eb79f28f5ab491.pdf?index=true
    • https://398ba15c-eb62-43bf-9675-b0805ca7c0a0.filesusr.com/ugd/1cc777_2de78dd6a76d44a49fb87423ec4380f3.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005288.bin
228a041670d3d007d5ee53c2ac4d46c1f0028f3c64b871d1d8b53ba4ca2afa3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5288 5208 bytes
font_01_sfnt_off00006452.bin
9df6adc01308e68695460dc1f69914e223a547a2423493226d5884bcc8397733		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6452 9964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.