Malicious PDF — malware analysis report

Static analysis result for SHA-256 d18370ac88c1d9d8…

MALICIOUS

PDF

42.6 KB Created: 2020-08-30 13:45:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a6595d5b18dce1b27f78ef318f1e21d SHA-1: fa86ed0ff1ed57c97cb484509d2de14d163e218a SHA-256: d18370ac88c1d9d8dfb12737352d806a26498a290ecc41127e8d2877138059fb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF file contains a mass external link farm, with a primary link pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.link/wix?keyword=algebra+1+chapter+5+assessment+book', which is identified as a malicious redirector. This suggests the document's purpose is to trick users into visiting malicious websites by presenting them as educational resources.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=algebra+1+chapter+5+assessment+book
    • https://cdn.shopify.com/s/files/1/0430/0491/9971/files/mafunoba.pdf
    • https://cdn.shopify.com/s/files/1/0430/5282/6773/files/fusion_360_turning_tutorial.pdf
    • https://cdn.shopify.com/s/files/1/0430/5436/6877/files/rabowaturofamenabisab.pdf
    • https://cdn.shopify.com/s/files/1/0428/4320/9895/files/80149408303.pdf
    • https://cdn.shopify.com/s/files/1/0428/6346/0508/files/defisijesibavulesijegimi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9105/1161/files/dukane_mcs350_installation_manual.pdf
    • https://cdn.shopify.com/s/files/1/0448/1299/2674/files/deeplearningbook_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/1673/2320/files/19022116719.pdf
    • https://static.usrfiles.com/ugd/b8c837_bad715f8c16140a1a66ce1fbd0b3af5e.pdf
    • https://static.usrfiles.com/ugd/b8c837_759aa6e64ffc4c9f9be74f5447643399.pdf
    • https://static.usrfiles.com/ugd/b8c837_113321a4240248e5a9ef02794b89c394.pdf
    • https://cdn.shopify.com/s/files/1/0429/3260/0985/files/82667254194.pdf
    • https://cdn.shopify.com/s/files/1/0433/4272/5275/files/69419379636.pdf
    • https://cdn.shopify.com/s/files/1/0430/4846/8631/files/calendario_mundial_rusia_2020_chile.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006390.bin
7e67dff9690ea10c436c195c1c96655a959d012c8856e6f9bb4e6dae6d6e443c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6390 5716 bytes
font_01_sfnt_off000076e7.bin
fc6fac1f82dba0ff4348e64941b64e292db355e4547e81f8b7633b54969cb269		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76E7 11204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.