Malicious PDF — malware analysis report

Static analysis result for SHA-256 a943c4dc989290af…

MALICIOUS

PDF

36.3 KB Created: 2020-09-17 17:58:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 92f5ee1d22e9e6594472c62b21ecebea SHA-1: 12de4b189c22bd02f0a5510834ba25cacf738e29 SHA-256: a943c4dc989290af219a6e89d691d5be910cb1ac9374917d0abe6d64bfb3b732
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, a common tactic for SEO spam and phishing. One critical heuristic identified a link to a known malicious redirector, 'https://ttraff.me/wix?keyword=achilles+2+origin+of+a+legend+unblocked', which is likely intended to lead the user to a malicious site. Another heuristic flagged a large number of external PDF links, with 'http://jetunax.calaverasarts.org/uploads/1/3/2/7/132741100/3500105.pdf' being a prominent example, suggesting a link farm designed to improve search engine rankings for malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=achilles+2+origin+of+a+legend+unblocked
    • http://jetunax.calaverasarts.org/uploads/1/3/2/7/132741100/3500105.pdf
    • http://files.putneybridgelodge6686.org/uploads/1/3/1/3/131379939/3539070.pdf
    • http://files.icsocal.org/uploads/1/3/1/6/131637131/vejorosu-fozenapelu-gufofimegum-gowula.pdf
    • http://files.cogsuite.net/uploads/1/3/0/7/130739916/6ff7b95.pdf
    • http://piroreja.craftsbywayne.com/uploads/1/3/0/7/130740607/jaxabozebojit_foxeko_nedolixifo_kitiwonorobe.pdf
    • http://files.collectifcontraceptionliege.com/uploads/1/3/0/7/130776589/4f4b5686f.pdf
    • http://pituj.vva-vasc.net/uploads/1/3/2/6/132681352/1199806.pdf
    • http://tixidemo.roberthazelton.com/uploads/1/3/2/7/132740412/kerofa.pdf
    • http://vixoted.cafemaxx.com/uploads/1/3/0/7/130739624/029f9ba77.pdf
    • http://files.casapasofino.com/uploads/1/3/2/7/132712093/8581359.pdf
    • https://e1ecd156-ab11-412d-bdd2-846fea045b27.filesusr.com/ugd/18574e_f2435ca50d6b47339afa977a87f488c6.pdf?index=true
    • https://82e2f4ab-92ea-4fbf-b715-cf2de64767f5.filesusr.com/ugd/7aabb2_cebc7cb790bf4637ad3d4a99eb0f7344.pdf?index=true
    • https://6ada96b4-f6b0-47cc-a6a3-8896071a6d67.filesusr.com/ugd/b65acf_c7bb9888951e4bf1919dc814eb2cd2e5.pdf?index=true
    • https://38ed04c2-0cee-4014-937c-22ad979fd691.filesusr.com/ugd/834936_2a7a403cef654d0bb8732932fdfd1597.pdf?index=true
    • https://edff3dc5-1b55-4fa1-a252-c5f899f6a8af.filesusr.com/ugd/bcc0e4_62471214ebf347979f575245e2bc8f7e.pdf?index=true
    • https://b7d83541-9bf6-4264-862d-b23f7780cc63.filesusr.com/ugd/2dbf5a_ba4cc52245f840a1b9eb71d95cf080b4.pdf?index=true
    • https://d7dc53b1-6ef0-47a1-b870-4a25bbb3c2b5.filesusr.com/ugd/834936_064072ce9df44cde9688692b767975b9.pdf?index=true
    • https://d2aabdf8-071a-41cc-8566-5dae6332dc5d.filesusr.com/ugd/5ea691_092416e138a34c78a6a514fa247fb345.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004f5d.bin
4f9e6270b90262469b3967fdab24d56f7b45a1e7008a8055b72ea373d16356bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4F5D 5608 bytes
font_01_sfnt_off0000626f.bin
794a335394f9a31ce409976fe5e7581345b805a976afa5e1fa7e992749e72ee9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x626F 9844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.