Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f125f9eb59c9113…

MALICIOUS

PDF

36.3 KB Created: 2020-09-16 19:17:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 66b5a28d352d297d64fc41d15e809328 SHA-1: 291e52e66ea44346a74b523d7b0d3a4b98d5e5f3 SHA-256: 1f125f9eb59c91134e1d21dc924521b9375da723ecc989d635ae4a11a6983dfa
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm and a direct link to a known malicious redirector, indicating a phishing or scam attempt. The document body, though partially corrupted, contains text related to a 'Crock-pot manual' and embedded URLs, suggesting a lure to a malicious site. The presence of numerous PDF links points to a link farm strategy to obscure the final malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=crock-pot+sccpvl610-s-a+6-quart+manual
    • http://nefusima.nmffa.org/uploads/1/3/1/0/131069934/1514188.pdf
    • http://tovadu.heatherbiggsphotography.com/uploads/1/3/2/8/132816091/6809956c.pdf
    • http://files.southkeyscentrum.com/uploads/1/3/1/4/131407705/mitefalurozabu-retaketelef.pdf
    • http://lanupimo.primarydigit.com/uploads/1/3/1/6/131607062/3de4170946206f.pdf
    • http://files.jeffwatsonhomes.com/uploads/1/3/1/4/131453682/ratizoxijoxezi.pdf
    • http://files.ucfootball.co.nz/uploads/1/3/0/7/130775776/757eb.pdf
    • http://files.accentplanks.com/uploads/1/3/0/7/130775373/zipuwu.pdf
    • https://5ea413f3-7c38-460c-b283-62d744c7cefc.filesusr.com/ugd/80bfa9_cf8eb9b8920940e79f4332959a65035b.pdf?index=true
    • https://a4ecb70f-176d-427f-96df-bf8e00e39159.filesusr.com/ugd/8a4248_0ea6035a71dc4be694bd770ef0b70375.pdf?index=true
    • https://2ee34eab-a307-41a4-a519-612966da7509.filesusr.com/ugd/03ae60_967be0b3e0a6484484a4f20f29667afb.pdf?index=true
    • https://39631599-c222-4c48-92c0-6cc8022ca34f.filesusr.com/ugd/9d869b_8e8b9d329bd44b67b4170f0d072a3887.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0435/7554/1919/files/90800295106.pdf
    • https://cdn.shopify.com/s/files/1/0431/0623/8613/files/l_accord_du_participe_passe_worksheets.pdf
    • https://cdn.shopify.com/s/files/1/0438/9571/8040/files/roxubolanarewoza.pdf
    • https://cdn.shopify.com/s/files/1/0431/6754/7552/files/banking_awareness_arihant_2020.pdf
    • https://cdn.shopify.com/s/files/1/0428/1961/6935/files/jaxak.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e60.bin
c12029d40543b9555e10351d12a47031861a48ec4bbd4e8a920f4e0d1ed9913a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E60 5612 bytes
font_01_sfnt_off0000617e.bin
6d0af238def98a3fd4ac3b429bc2d476376147d4cdfb1720cc5f12a5d568033e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x617E 10124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.