Malicious PDF — malware analysis report

Static analysis result for SHA-256 a409aae472cb3fd5…

MALICIOUS

PDF

222.2 KB Created: 2020-07-10 19:44:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 858abcef53c3a60113d579b67a810f6f SHA-1: 5e4acf11d97bf1d0a25545460853e24888522b42 SHA-256: a409aae472cb3fd5dd7badd77e78a432c4ade2187f829329303b2a373805c6f3
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link that redirects to a known malicious domain, disguised as a download for educational material. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms the malicious nature of the embedded URL. No scripts were extracted from this sample, limiting the analysis of its direct execution behavior.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=compiler%20design%20full%20notes%20pdf
    • http://files.thesuitcasejunket.com/uploads/1/3/0/9/130969506/2159389.pdf
    • http://files.drawingacrossthelines.org/uploads/1/3/1/3/131398131/9170470.pdf
    • http://files.utile-it.com/uploads/1/3/0/9/130969926/365863.pdf
    • http://files.focusonyou-online.net/uploads/1/3/0/8/130815058/fowilasipuvenomu.pdf
    • http://files.flatironsolar.com/uploads/1/3/0/7/130776253/7693b40fdbf.pdf
    • http://files.joumc.org/uploads/1/3/0/7/130738896/2526387.pdf
    • http://files.rsvpvolunteercaregivers.org/uploads/1/3/2/6/132681824/navate.pdf
    • http://files.bsquarepro.com/uploads/1/3/1/4/131453917/335168.pdf
    • https://seximapakoro.files.wordpress.com/2020/06/nutisefufupi.pdf
    • https://rawerif.files.wordpress.com/2020/06/xuvew.pdf
    • https://wozupag.files.wordpress.com/2020/07/baxesu.pdf
    • https://tilakomo.files.wordpress.com/2020/06/57392031958.pdf
    • https://negoxojes.files.wordpress.com/2020/06/vofapikegizoka.pdf
    • https://judesovevumi520722936.files.wordpress.com/2020/07/99432323783.pdf
    • https://zirazeru.files.wordpress.com/2020/06/velimebewaraf.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rinavupomun.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/nejoxalivivurotuzepebibus.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/metiliwetizo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/54101174921.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/98774508290.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00030fca.bin
fcb3083d0dd45b05ff2f24d2fbdfbf8c069737ba693ccf01e2e80c7ae11f5eef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30FCA 5056 bytes
font_01_sfnt_off000320e3.bin
68eb57590773c8b2d6dfed7acc8dc88605551e5fd46fe4cc06ccc5aa41e1ed99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x320E3 16264 bytes
font_02_sfnt_off00035460.bin
bbb4928b2c5a50c0832ecd6ebb1362cd2d714bbe3e9ddae61164af3ebb87f482		 pdf-font-stream PDF embedded font (sfnt) at offset 0x35460 16112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.