Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2e53ea8c6cacb38…

MALICIOUS

PDF

36.8 KB Created: 2020-08-30 19:31:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8545606785ce93e36fea0d5d84e32141 SHA-1: da18782e5462e6961787a6e73cf153fd3fb609e5 SHA-256: c2e53ea8c6cacb38b4fb401bb603a71bdf78f217d7365a3854282d3dfaff2cea
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, includes the URL 'https://ttraff.com/wix?keyword=ejercicios+de+distinguir+pronombres+y+determinantes', which is flagged as malicious. This suggests a phishing or redirection attack aimed at leading the user to harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=ejercicios+de+distinguir+pronombres+y+determinantes
    • https://static.usrfiles.com/ugd/5ecadc_15248b4386414a81b237038e60e72b03.pdf
    • https://static.usrfiles.com/ugd/b8c837_8895a66aa5e94c0aa5629c65ffb013c7.pdf
    • https://static.usrfiles.com/ugd/fe83c3_4fa8ebc44e144978a9ff2e239d0a6b3c.pdf
    • https://static.usrfiles.com/ugd/b8c837_0efc339b98e747a992879437c9e52293.pdf
    • https://static.usrfiles.com/ugd/1f5cef_666907a9475544c5bd1f0041fac47909.pdf
    • https://cdn.shopify.com/s/files/1/0450/4708/7262/files/analyzing_qualitative_data_bryman.pdf
    • https://cdn.shopify.com/s/files/1/0433/5288/3352/files/sugufuxutotudupitigil.pdf
    • https://static.usrfiles.com/ugd/b8c837_23bc1e9f24024887a160d64430be2cb8.pdf
    • https://static.usrfiles.com/ugd/aff7ca_0f0c4ba0e4a14d7996915dc9e8c3fbd6.pdf
    • https://static.usrfiles.com/ugd/e3ff21_6b744e952de744c99e87bebf86a747a1.pdf
    • https://static.usrfiles.com/ugd/b8c837_40f6f4ca71f74898a515a2598ec36831.pdf
    • https://cdn.shopify.com/s/files/1/0431/5774/9917/files/90525611011.pdf
    • https://cdn.shopify.com/s/files/1/0462/4475/7664/files/nespresso_breville_descaling_instructions.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e1f.bin
5777b71c05ce54c524d94f5a54467e3f8b97ab097d0a33e567fea368eb48c88a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E1F 5636 bytes
font_01_sfnt_off00006139.bin
98a540329f7a77b9931c9dda7d0e81acf7ffbead0336a1054e32c535626d01e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6139 11576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.