Malicious PDF — malware analysis report

Static analysis result for SHA-256 a23269347620f817…

MALICIOUS

PDF

48.7 KB Created: 2020-09-20 10:50:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4ebc70f872f6f626d0f3658100f41848 SHA-1: 87216cceeabbf92ff6a2a510dd682e782e1dcbbf SHA-256: a23269347620f8172887c90af9e636967fe893ba2b650fe89c1b7583628af966
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains the text 'Probabilidad clasica y ejemplos' and the malicious URL 'https://ttraff.link/wix?keyword=probabilidad+clasica+y+ejemplos', suggesting a lure to a site related to probability examples. The presence of numerous other PDF links further indicates a link farm or redirection strategy. The primary intent appears to be directing the user to malicious infrastructure via the embedded links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=probabilidad+clasica+y+ejemplos
    • http://kowodem.casewayproducts.com/uploads/1/3/1/8/131858540/4104337.pdf
    • http://files.yorkchaplaincy.org/uploads/1/3/1/1/131164027/kopekadipabogas.pdf
    • http://files.drewfornarola.com/uploads/1/3/1/4/131409794/pokifedapa_vimaxop.pdf
    • http://zijebalu.slpechowan.com/uploads/1/3/1/3/131397997/1838839.pdf
    • https://5114d1cb-8855-41b3-8e7e-8863d69e1ce8.filesusr.com/ugd/3fd21f_fe43b78264ed478b862e6d575672a39e.pdf?index=true
    • https://4055c9be-44b9-420d-b38c-6d789d2fa324.filesusr.com/ugd/b463f2_5b81ca54b94c4733b47a720498a7b4e9.pdf?index=true
    • https://7d540489-2a54-4fed-81d7-8bac272c7680.filesusr.com/ugd/237bf7_c118db678a6d4ea98e510bb1d0ed6a4e.pdf?index=true
    • https://58443d31-ae9b-48b8-a044-cf0806617d3d.filesusr.com/ugd/76b6de_b705928aa6e74cfd99e47ea25a9844aa.pdf?index=true
    • https://cb952aa1-3c66-420c-be3d-0f31d7f1b030.filesusr.com/ugd/b91566_79e30fb18c874080a10d61cfdc1ff1a0.pdf?index=true
    • https://72a81080-ca51-4d9a-963e-f3671a2c3ee1.filesusr.com/ugd/8a05ec_648f773eabbd43b1b9f096291b8f0712.pdf?index=true
    • https://9b28cd07-0e05-470a-aef0-2c6529300583.filesusr.com/ugd/9904c2_3f8576e0dbc54a52acbca2b69033ceab.pdf?index=true
    • https://bf46b851-2111-4e21-bd5e-70b739339b20.filesusr.com/ugd/f34823_47b1a278cae54c399c6d36892fd1989e.pdf?index=true
    • https://1a2aecd7-233b-4e11-86fc-2e0a6ccbfc26.filesusr.com/ugd/b98abb_acaaefeaad6d4062a8a9d1a5de691aaf.pdf?index=true
    • https://a660c0d2-c3b2-4f72-ab1b-f510dc5cd5f4.filesusr.com/ugd/ca9b0a_ed33ea14ea214c11ba98634f98e1bd86.pdf?index=true
    • https://3224decc-87b2-4b8f-a8ea-5893c68f81b9.filesusr.com/ugd/3b0c81_d4fe204e353a4bc79d92e583b5f1318b.pdf?index=true
    • https://5ea413f3-7c38-460c-b283-62d744c7cefc.filesusr.com/ugd/80bfa9_cf8eb9b8920940e79f4332959a65035b.pdf?index=true
    • https://ba96f99e-b37f-4cd1-af18-a6766575bb4b.filesusr.com/ugd/8b61cf_8e69b48660e44725a64c09efbddcc0e9.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007bdd.bin
113cf16f797dbe472ca5e252f950134ed8ca88027ac9d35dd53c7f933f8311b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BDD 5536 bytes
font_01_sfnt_off00008e9e.bin
be3c5e6b4fba13d7b4518bf7dedc838237d674fd27902b449b7e66591d5fb585		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E9E 11408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.