Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3c0633e215be19d…

MALICIOUS

PDF

34.8 KB Created: 2020-09-21 13:41:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 51f2cb3a8e426dd0ef134476cadd3dda SHA-1: 04fabd15ac904b324b878a4d93e95abe52203283 SHA-256: a3c0633e215be19d057d8cdf74d266183126e84a950f7380b489df253abbc699
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with one specifically pointing to a known malicious redirector. The document body, though partially corrupted, contains text suggesting it is a lure for educational materials, likely to trick users into clicking the malicious link. The presence of a link farm and a malicious redirector indicates a phishing or scam attempt designed to lead users to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=glencoe+geometry+textbook+chapter+1+answers
    • http://kinid.johnwesleymillercompanies.com/uploads/1/3/2/8/132814946/pamamej-ginif-netemal-gajalobubamil.pdf
    • http://files.seilafernandezarconada.net/uploads/1/3/1/4/131411596/3572b.pdf
    • http://files.kristinemiles.com/uploads/1/3/0/8/130873877/64af10b1d.pdf
    • http://files.showmyboutique.com/uploads/1/3/1/0/131070458/zawotawoneru.pdf
    • https://3e6ba451-cf4d-4469-b5fd-68966b202cf9.filesusr.com/ugd/32acb1_fb187aa2ad7e4b8ab1ec26ee82be4bd3.pdf?index=true
    • https://71d8eba5-64cf-4cde-b246-54608112b788.filesusr.com/ugd/289c5e_aadeba617ebd4d8ab26b513038907db6.pdf?index=true
    • https://25ad423c-4871-42e9-b38e-74142acb684f.filesusr.com/ugd/66f3f9_0d8c10e022ac4ab6af92a51a0d61206e.pdf?index=true
    • https://86c92ba4-1937-4685-8162-acb9ef4c300c.filesusr.com/ugd/47e66e_0a43e48f5c834f09983db2967e5f6201.pdf?index=true
    • https://e3e14cf2-3128-43bc-9048-e4418b206822.filesusr.com/ugd/c75f60_099a5797f53a41b598f21269960fac92.pdf?index=true
    • https://6e89c989-678e-48c2-8620-904f37ea01b3.filesusr.com/ugd/ab059d_6865a3fd913f4d63960068e3e1d9f821.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000049d7.bin
99318c597020d56b7d63e43dc21dba03cbf71c34a8c39f7b886ea33ef51c9db5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x49D7 5896 bytes
font_01_sfnt_off00005de1.bin
13cbd7209e18b4780bbe41a127e922221662308e01c6371e87c39b3304b7cf2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DE1 9676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.