Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac1fbbd7216c5a11…

MALICIOUS

PDF

41.5 KB Created: 2020-08-16 23:07:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5a49c991443f43ccf44a5b34bca12d30 SHA-1: c6dfacb82429f30c446344aeebd1f69eba4e115f SHA-256: ac1fbbd7216c5a11f4c8dd9b4aef0e3a43708ba00f90fa87b503924f21c96cad
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a primary link pointing to a known malicious redirector. The document body, though partially corrupted, includes text related to an 'open day' event, suggesting a lure to entice users to click the malicious link. The presence of a link farm further supports the malicious intent of redirecting users to potentially harmful sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=canford+school+sixth+form+open+day
    • http://files.creativecounselingsrq.org/uploads/1/3/2/7/132710787/5366484.pdf
    • http://files.campervantoursuk.com/uploads/1/3/0/9/130969231/naken_lagurovipuz.pdf
    • https://cdn.shopify.com/s/files/1/0429/7133/2767/files/3162056849.pdf
    • https://cdn.shopify.com/s/files/1/0448/6764/9698/files/java_1._8_mac.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/dedijadexurusefux.pdf
    • https://cdn.shopify.com/s/files/1/0433/1149/7366/files/21746012300.pdf
    • https://cdn.shopify.com/s/files/1/0435/0253/4822/files/asmaul_husna_arab_dan_latin.pdf
    • https://cdn.shopify.com/s/files/1/0430/4273/4237/files/tatikudulezo.pdf
    • https://cdn.shopify.com/s/files/1/0432/2390/8520/files/75467466025.pdf
    • https://cdn.shopify.com/s/files/1/0433/0386/2440/files/firubajipanobu.pdf
    • https://cdn.shopify.com/s/files/1/0429/8014/7359/files/lavetukutowuwupive.pdf
    • https://cdn.shopify.com/s/files/1/0429/3872/8611/files/doxuzikimijefafiruza.pdf
    • https://cdn.shopify.com/s/files/1/0428/9842/3967/files/68545090756.pdf
    • https://cdn.shopify.com/s/files/1/0435/3749/8271/files/8434770670.pdf
    • https://cdn.shopify.com/s/files/1/0435/3146/8951/files/moment_generating_function_of_negative_binomial_distribution.pdf
    • https://cdn.shopify.com/s/files/1/0435/7187/1912/files/47739117408.pdf
    • https://cdn.shopify.com/s/files/1/0454/4171/2286/files/bhagavad_gita_slokas_in_telugu_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062d1.bin
565cb02fc8d605d0327735903eb4f7bd6c9bb511240b5d8b75dd1b83ff6c9239		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62D1 5468 bytes
font_01_sfnt_off0000754b.bin
26391122244de43260af38571916ee28ca7de605ef64aaba5bc303ad8a38881d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x754B 10464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.