Malicious PDF — malware analysis report

Static analysis result for SHA-256 a756e8ddd0ca3b6e…

MALICIOUS

PDF

43.3 KB Created: 2020-08-31 02:29:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4689e416a5c280ff78f7898e83992bb4 SHA-1: eb518aa522cd098cb637e29fa226dad587c2ef7a SHA-256: a756e8ddd0ca3b6ef591d40829e1a47b273e2ef3a811a647fb26305d8396af3c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, directing users to `https://ttraff.cc/wix?keyword=frase+ora%25C3%25A7%25C3%25A3o+e+per%25C3%25ADodo+exerc%25C3%25ADcios+com+gabarito+8+ano`. Additionally, another critical heuristic indicates a PDF link farm, with numerous external links, suggesting an attempt to distribute content or traffic. The document body, though partially corrupted, contains text related to exercises and a gabarito (answer key), likely a lure to encourage clicks on the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=frase+ora%25C3%25A7%25C3%25A3o+e+per%25C3%25ADodo+exerc%25C3%25ADcios+com+gabarito+8+ano
    • https://static.usrfiles.com/ugd/b8c837_3260366124be4704b453ddd5b010acfb.pdf
    • https://static.usrfiles.com/ugd/66c878_61addb6417bc4dffbb659e30823c70f9.pdf
    • https://static.usrfiles.com/ugd/b8c837_98fea656ce6c43d6b8e9ac8ae14e106f.pdf
    • https://static.usrfiles.com/ugd/b8c837_60aefdf27c8640259bb89050a311a25f.pdf
    • https://static.usrfiles.com/ugd/06497e_eee1d5e47a894d2f95b0a1b6dd92ec32.pdf
    • https://cdn.shopify.com/s/files/1/0464/7976/9768/files/baseball_jersey_photoshop_template.pdf
    • https://cdn.shopify.com/s/files/1/0432/6660/5209/files/pool_billiards_pro_apk.pdf
    • https://cdn.shopify.com/s/files/1/0437/6153/3082/files/leadership_theory_and_practice_7th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0429/2198/4166/files/11808029231.pdf
    • https://cdn.shopify.com/s/files/1/0430/8847/8365/files/23624969149.pdf
    • https://static.usrfiles.com/ugd/9e14ca_194049b31b1e4d15bb4b629f1902767c.pdf
    • https://static.usrfiles.com/ugd/12f4eb_b7b8f769ead74f6d8cf8ce549f2d0ffc.pdf
    • https://static.usrfiles.com/ugd/837d34_984ec0c2c4ff4f12bc3a23abfa624cdd.pdf
    • https://static.usrfiles.com/ugd/a44510_ac24a8f942344eb1ac1f1b917e3fabae.pdf
    • https://static.usrfiles.com/ugd/87a178_7af7c2cf1351408daf2959ffecd38ca5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006264.bin
090f04532a19d6d9f8f462a0e442527b09f10c9625655e180a4c3e4dfe419d4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6264 6272 bytes
font_01_sfnt_off000076d0.bin
7b130ad91a87687d99aaceeb0b5fb2ee0d62c9560f4a75b255bb55ec4a81d177		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76D0 12888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.