Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c0d2f0e29ac2335…

MALICIOUS

PDF

47.8 KB Created: 2020-08-30 06:48:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f78865899cb889d71cf64c0308a71e0 SHA-1: 6e91098332c694aa794d214b5b961085c8de3f47 SHA-256: 1c0d2f0e29ac233540a0cfa3e104bf29e77d98bd0c6620330a715bdd657a3648
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to a redirector service. The primary heuristic indicates that the PDF links to known malicious redirector infrastructure. The document body contains text related to 'putting out of your mind pdf' and includes the malicious URL, suggesting a social engineering lure. The file also contains numerous links to external PDFs, likely part of an SEO link farm to improve search engine ranking and visibility for malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=putting+out+of+your+mind+pdf
    • https://static.usrfiles.com/ugd/b8c837_1d5a2dd33e8f4870ade6ce14afcca3b6.pdf
    • https://static.usrfiles.com/ugd/b8c837_ee1325504ed1429fb9beb20de4d50bf7.pdf
    • https://static.usrfiles.com/ugd/b8c837_779f679d34cc4bf49bc449e7b4a11641.pdf
    • https://static.usrfiles.com/ugd/cc14e4_1063f028247c4ec3b899101814e04714.pdf
    • https://static.usrfiles.com/ugd/b8c837_56651e16c1894a7dbea5127926c6d992.pdf
    • https://static.usrfiles.com/ugd/576447_daec1889b394416b8ec56ee9a94418d9.pdf
    • https://static.usrfiles.com/ugd/b8c837_52637f0ed32840d0a19be67597a8bf2c.pdf
    • https://cdn.shopify.com/s/files/1/0430/5495/6695/files/gawasexozojoboz.pdf
    • https://cdn.shopify.com/s/files/1/0430/2965/9805/files/thomas_calculus_early_transcendentals_14th_free.pdf
    • https://cdn.shopify.com/s/files/1/0428/5648/0935/files/sopewikazigobuvudabof.pdf
    • https://cdn.shopify.com/s/files/1/0432/7230/6846/files/relexas.pdf
    • https://cdn.shopify.com/s/files/1/0430/1471/7597/files/dipikasawinitipuza.pdf
    • https://cdn.shopify.com/s/files/1/0428/8980/5980/files/25188956699.pdf
    • https://cdn.shopify.com/s/files/1/0434/0157/6604/files/78632815168.pdf
    • https://cdn.shopify.com/s/files/1/0445/9390/5828/files/meteorology_today_11th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0429/7264/3491/files/function_discovery_resource_publication_disable_windows_7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007c20.bin
558c7872110bd093af490a861f8c742eaeb51f94e5d49b3928b828566966cc0a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C20 5044 bytes
font_01_sfnt_off00008d3d.bin
6c41b1330933456f47aab4fd93965502022f914efd7baa6bd5133e7fad2cb802		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D3D 10768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.