Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b2c3b293491d3fb…

MALICIOUS

PDF

51.3 KB Created: 2020-09-07 18:47:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 59a0f2940f852df18bd454d58403f688 SHA-1: 8a4168b8043b9a797f924cd949a23e5f2c5599ac SHA-256: 1b2c3b293491d3fb17e036e1fe153c6c561ba4df5140e067c170679147422fcd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to a URL that appears to be part of a SEO link farm. The document body contains text related to a quiz and the malicious URL, suggesting a lure to trick the user into clicking the link. The embedded URLs are used to host content that is likely part of a larger SEO spam campaign, ultimately leading to the malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=logos+quiz+level+17+answers+iphone
    • https://cdn.shopify.com/s/files/1/0431/9870/9917/files/.pdf
    • https://cdn.shopify.com/s/files/1/0433/0058/5632/files/lujaxogugevapokodo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0009/4112/files/tuzinogados.pdf
    • https://static.usrfiles.com/ugd/3bca44_c48bf5bffc0846909432c1fa14d7fe13.pdf
    • https://static.usrfiles.com/ugd/834936_7a528d167590447c83ffddad985c1a89.pdf
    • https://cdn.shopify.com/s/files/1/0433/5144/1560/files/foolproof_academy_answers.pdf
    • https://cdn.shopify.com/s/files/1/0449/8885/8536/files/the_ed_miracle_tom_bradford.pdf
    • https://cdn.shopify.com/s/files/1/0463/3604/9313/files/23989322619.pdf
    • https://cdn.shopify.com/s/files/1/0428/9354/1535/files/income_tax_fundamentals_2015.pdf
    • https://cdn.shopify.com/s/files/1/0437/4501/8017/files/bipomamogore.pdf
    • https://static.usrfiles.com/ugd/46429b_c9ac24bc3fd4420fbe241d68a417d528.pdf
    • https://static.usrfiles.com/ugd/18f527_43223938f4b646ddb5236df78e3043ac.pdf
    • https://static.usrfiles.com/ugd/4c1554_2305649eadb34013bff1017104440a1a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000089e0.bin
8455c4cdcb064a9882638565c197fdd05ee33bead4b3bab77e42190e07d37b90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89E0 5480 bytes
font_01_sfnt_off00009cb4.bin
0d6a9375a6a2cf59edc4ed13422003cf3f363f269c429af19c66b53b6e64e8bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9CB4 10472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.