Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f0b8ded196265dd…

MALICIOUS

PDF

57.7 KB Created: 2020-08-31 10:02:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8a771af39c1433c57f8400089f3a707b SHA-1: 8a5714131ad5c2ff41c2f882f1aa832738593f7c SHA-256: 1f0b8ded196265ddebbc0e4dc0375e2b0831549c11182d99e6aac7325dd328fe
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to external PDF files, indicating a link farm designed to manipulate search engine results or lure users to malicious content. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.cc/wix?keyword=five+dialogues+euthyphro'. The document body is heavily obfuscated and contains what appears to be a reference to this redirector URL, suggesting the primary goal is to redirect the user to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=five+dialogues+euthyphro
    • https://static.usrfiles.com/ugd/b8c837_e90bf73675f04c30b8fc7ed03ca40738.pdf
    • https://static.usrfiles.com/ugd/b8c837_66510327cdb34ea39dd840bf1933f4ff.pdf
    • https://static.usrfiles.com/ugd/b8c837_3485ed588df64e40bf4183550957c6fb.pdf
    • https://cdn.shopify.com/s/files/1/0440/1060/2661/files/snap_circuits_jr_manual.pdf
    • https://cdn.shopify.com/s/files/1/0466/2309/6997/files/95283928579.pdf
    • https://cdn.shopify.com/s/files/1/0432/2571/0756/files/jimosilu.pdf
    • https://static.usrfiles.com/ugd/9f6a24_01cf82a9de2145ae970983c8d4ec9107.pdf
    • https://static.usrfiles.com/ugd/b8c837_df437f7deb45429ca0f4c9c4525b7d61.pdf
    • https://static.usrfiles.com/ugd/b8c837_349c252372984fe9b3410c02ef022d81.pdf
    • https://static.usrfiles.com/ugd/e5a943_1e3c1d03817a44f99212c4b9d32fd613.pdf
    • https://static.usrfiles.com/ugd/96768c_eacd9e48c23047e0b234717e1a5a5952.pdf
    • https://static.usrfiles.com/ugd/09273f_0dcd777bdf404abd853ac6c6785bd17b.pdf
    • https://static.usrfiles.com/ugd/238140_5b7f3a3247c74f1ebd42459a8c5b7672.pdf
    • https://static.usrfiles.com/ugd/b8c837_906fbb18604e4936b0fe807f795e5f98.pdf
    • https://static.usrfiles.com/ugd/4cf28d_a98f34f75acc4c5c9ff897de940fcbae.pdf
    • https://static.usrfiles.com/ugd/162fe6_03ab6c2d7af24b1e9bb62352f67189b9.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a547.bin
57f2ae015f8b915e8e3f4947b3cb9398145e67637219afaeee2d0ea476c70188		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA547 5340 bytes
font_01_sfnt_off0000b779.bin
894b5a1bac81a1439a8591583deaac9f22b3f09c44db63b080e3b0f3ecc69544		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB779 10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.