Malicious PDF — malware analysis report

Static analysis result for SHA-256 f21e2a6b72523a1d…

MALICIOUS

PDF

110.3 KB Created: 2020-07-31 21:11:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f443b05d0fd3c3baf9ad2ad43afe1c7 SHA-1: 555d8d7aed29680ef4af62e90c565f6efe2b73a6 SHA-256: f21e2a6b72523a1d30949467dc5f6435262c0b68f3ccb179562f33adf531ccea
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link that redirects to a malicious URL, disguised as a 'physics principles and problems solutions manual pdf'. This link is part of a larger link farm, indicating a phishing or malware distribution attempt. The presence of a visual download button further supports the lure.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=physics+principles+and+problems+solutions+manual+pdf
    • http://files.steppingstonetuition.com/uploads/1/3/1/3/131383964/8618393.pdf
    • http://files.troyelementaryspanish.com/uploads/1/3/1/8/131856904/setame.pdf
    • http://files.eringipfordfreelance.com/uploads/1/3/1/3/131378899/962f048bc0b4.pdf
    • https://cdn.shopify.com/s/files/1/0429/2568/6951/files/tifutedoboviro.pdf
    • https://cdn.shopify.com/s/files/1/0433/1415/1589/files/57903942670.pdf
    • https://cdn.shopify.com/s/files/1/0435/3579/4327/files/42112223995.pdf
    • https://cdn.shopify.com/s/files/1/0433/7968/7587/files/xateludalofaraz.pdf
    • https://cdn.shopify.com/s/files/1/0430/4994/3202/files/sixuxipatob.pdf
    • https://cdn.shopify.com/s/files/1/0431/9959/4656/files/jewumawin.pdf
    • https://cdn.shopify.com/s/files/1/0428/7237/3411/files/87846263704.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/35022180152.pdf
    • https://cdn.shopify.com/s/files/1/0428/4314/4355/files/60619194629.pdf
    • https://cdn.shopify.com/s/files/1/0432/8259/6004/files/femexesidala.pdf
    • https://cdn.shopify.com/s/files/1/0430/0649/2831/files/sugalaxuvepozatovu.pdf
    • https://cdn.shopify.com/s/files/1/0431/8212/9320/files/19526452934.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000172e7.bin
d6c1bd6c3d80225e48ffd905a3e7c6810881ffae15d0c908c15aa074fd1b1ab3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x172E7 5640 bytes
font_01_sfnt_off000185ef.bin
f6f4e42cfdabab892231cb6ec5cf93ca3c80f75ab72a38ceadb4d3171e2038e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x185EF 11064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.