Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4029851f2337f2d…

MALICIOUS

PDF

65.5 KB Created: 2020-09-22 00:04:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 16a32380ecf5bdeef7bb273c05f8e25f SHA-1: 1750389df810fbe1a442711c86eb30e0ea1c15cd SHA-256: a4029851f2337f2db97b534a7a32babf085e3380fd3978fc8a74c9e73cc6141f
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a high number of embedded links, with a critical heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, pointing to `https://ttraff.link/wix?keyword=races+everquest+2`. Another critical heuristic, PDF_SEO_LINK_FARM, indicates a large number of external PDF links, suggesting a link farm for SEO manipulation or malware distribution. The document body, though heavily obfuscated, contains the same suspicious URL. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=races+everquest+2
    • http://fosafu.authorjessicaprince.com/uploads/1/3/1/4/131482997/gamabegiv.pdf
    • http://files.gammaetaomegaaka.org/uploads/1/3/1/6/131636990/5608641.pdf
    • https://e55b45dc-00d7-4d9d-a883-74da3e0c3eca.filesusr.com/ugd/1c8c1e_fc6a363202cf4726a65dc0366a2bacf0.pdf?index=true
    • https://ae12b003-a280-4132-adc7-2571ccd6820b.filesusr.com/ugd/2ca22b_9af808ab9ddc48cd90012ea823b7524f.pdf?index=true
    • https://2fa51348-5131-4084-be96-38f8f453b89a.filesusr.com/ugd/585b1d_ecad71c02c21482eb64b489446b622ac.pdf?index=true
    • https://0b8bb0a3-a006-4efc-bdd5-4afb98e248f5.filesusr.com/ugd/3bcfef_fcbec8f86029499b9b3abdcf541570c5.pdf?index=true
    • https://bbabd859-9b02-4f6b-9382-bc6f60960d45.filesusr.com/ugd/33a2e4_bd144d7783c14a9cab574fea42c60d33.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0436/0021/6232/files/pokurokawanupanavuvavut.pdf
    • https://cdn.shopify.com/s/files/1/0441/0851/3432/files/20391000496.pdf
    • https://cdn.shopify.com/s/files/1/0432/9376/9894/files/the_odyssey_reading_guide_answer_key.pdf
    • https://e1159248-ca41-47d4-a719-213730a1f00c.filesusr.com/ugd/b361c6_524e546111ff49628a1ea6c26f1a242f.pdf?index=true
    • https://1a29f7d4-6652-4479-bebd-460bacae8065.filesusr.com/ugd/e5cbe5_37a80210a1444630bd3470785c6fe77b.pdf?index=true
    • https://050b1ef8-f38f-4a9a-a2a9-f9bb0462139f.filesusr.com/ugd/0a51c1_8d3710b3fe9f4674b3298f9a385d30c1.pdf?index=true
    • https://f2321084-3f5d-41c8-8614-7bd6997ef57b.filesusr.com/ugd/f5892c_b4fbc654339949298a6214d6dc6fda94.pdf?index=true
    • https://4981a915-b876-4591-915e-9fa7307fdd3d.filesusr.com/ugd/e2f7e1_94042fc26a0c4268963d0111cddc6e30.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009d5e.bin
208c51c038b43b7be702a41c5f5a207cba3bf0cf1add6f85fec2eb02be8efd2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D5E 7060 bytes
font_01_sfnt_off0000b594.bin
eb62cd46dd8664cb12493453ed358845e37bf699c97a45b46bae26d67529cf65		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB594 4704 bytes
font_02_sfnt_off0000c5a8.bin
69da42cee370ae7aa4f9962410daba2abe9890afb2739798785257581ebbae1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC5A8 10984 bytes
font_03_sfnt_off0000eaf1.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAF1 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.