Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9ee00da72e72ad3…

MALICIOUS

PDF

60.0 KB Created: 2020-10-17 12:31:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6746fc0e166d900dfdde0af298f4c4b9 SHA-1: 90694e8ed1b81697f073869a8b3443be89b25b8c SHA-256: a9ee00da72e72ad3a08f90e52323ce711623646290c7bb435c220cef67e5a08c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm designed to appear as a worksheet answer key, which is a common social engineering tactic. The primary link directs to a malicious redirector, likely intended to deliver a secondary payload or phish for credentials. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms the malicious nature of the redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/123?keyword=electric+force+and+coulomb%2527s+law+worksheet+answers
    • https://zinikedefi.weebly.com/uploads/1/3/0/7/130740178/vosimu-redibelefavepu-nufid-tixugikigupiv.pdf
    • https://jawasolasazilem.weebly.com/uploads/1/3/1/3/131379174/beparinunij.pdf
    • https://fekudumubaf.weebly.com/uploads/1/3/2/6/132681201/d54f4d96cedca1.pdf
    • https://biwugina.weebly.com/uploads/1/3/1/1/131163984/76f736991d2.pdf
    • https://cdn-cms.f-static.net/uploads/4378157/normal_5f8a7e98584ac.pdf
    • https://cdn-cms.f-static.net/uploads/4366042/normal_5f875dfbb5355.pdf
    • https://cdn-cms.f-static.net/uploads/4368977/normal_5f880939b470b.pdf
    • https://cdn-cms.f-static.net/uploads/4376600/normal_5f8a03d987e57.pdf
    • https://cdn-cms.f-static.net/uploads/4371553/normal_5f8a13b06c688.pdf
    • https://xojerajap.weebly.com/uploads/1/3/1/3/131384359/1392291.pdf
    • https://gogebuzavoriro.weebly.com/uploads/1/3/2/6/132681212/xiregodadixigoz.pdf
    • https://mojivimimujovo.weebly.com/uploads/1/3/0/8/130874437/038885c85ecf8f0.pdf
    • https://wetuxabo.weebly.com/uploads/1/3/0/8/130873937/3475387a65fc0.pdf
    • https://tavumake.weebly.com/uploads/1/3/2/7/132740551/91e26.pdf
    • https://rimesozarabef.weebly.com/uploads/1/3/1/6/131607712/rujagepo.pdf
    • https://vozunutav.weebly.com/uploads/1/3/0/9/130969695/54f421.pdf
    • https://baletepo.weebly.com/uploads/1/3/0/7/130776023/zetosat-powetaz-wuviwabegevuz-xerarukekesudax.pdf
    • https://cdn.shopify.com/s/files/1/0434/6229/5714/files/mokav.pdf
    • https://cdn.shopify.com/s/files/1/0481/5074/1153/files/parigaler.pdf
    • https://cdn.shopify.com/s/files/1/0496/2392/4885/files/tigademinogokojude.pdf
    • https://cdn.shopify.com/s/files/1/0431/8566/8255/files/android_download_location_sd_card.pdf
    • https://cdn.shopify.com/s/files/1/0484/2956/4062/files/biogeochemistry_an_analysis_of_global_change.pdf
    • https://cdn.shopify.com/s/files/1/0266/9025/7081/files/banej.pdf
    • https://cdn.shopify.com/s/files/1/0482/8738/3714/files/westchester_county_courthouse_white_plains_ny.pdf
    • https://cdn.shopify.com/s/files/1/0437/8509/3281/files/legend_of_zelda_cheats_map.pdf
    • https://cdn.shopify.com/s/files/1/0433/9371/2286/files/safewerulikewaledukoropo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000858d.bin
efec327a2f10582f8849efdcaff3596a0cef1e4472bac016ca23536841ada890		 pdf-font-stream PDF embedded font (sfnt) at offset 0x858D 4864 bytes
font_01_sfnt_off00009813.bin
d425212bedaf94bdb182ee93fb75e3825297fd30363d3b45aa5d1d6a6006dd72		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9813 5548 bytes
font_02_sfnt_off0000aad3.bin
ce43b62959fab20a10950d2ab79b5977cfe4a142bf80ea9c498fd4ec4449ad2b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAAD3 9780 bytes
font_03_sfnt_off0000cc6e.bin
c43c81af3addadc619f1b50b0eb79006c69e58cb90abf43f7a5fbd940e22698c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC6E 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.