Malicious PDF — malware analysis report

Static analysis result for SHA-256 24f1078c45779bf3…

MALICIOUS

PDF

41.9 KB Created: 2020-08-30 06:46:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8dd5e6b7480f65c65245d8ca491d7e92 SHA-1: 82894e4e8b16f52d4aa544480e6303a368322eee SHA-256: 24f1078c45779bf391d12e4f022e40af4c14ad6c7ce4dc6bf2ce461810b62189
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one specifically identified as a malicious redirector. The document body, though partially corrupted, suggests a lure related to digital marketing. The presence of a link farm heuristic further indicates an attempt to distribute malicious content through a large number of links. The primary malicious IOC is the redirector URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=marketing+na+era+digital+martha+gabr
    • https://cdn.shopify.com/s/files/1/0433/0808/9499/files/english_alphabet_and_numbers.pdf
    • https://cdn.shopify.com/s/files/1/0429/3702/4668/files/79418152621.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/velokiw.pdf
    • https://cdn.shopify.com/s/files/1/0437/8502/7746/files/19046316808.pdf
    • https://static.usrfiles.com/ugd/a771bd_f211971dd03f4754a4750af0933a0c38.pdf
    • https://static.usrfiles.com/ugd/b8c837_bdc485f64a9e4057b15f325d968dca48.pdf
    • https://static.usrfiles.com/ugd/a771bd_c6974d21bcda43b89b564583c6cea724.pdf
    • https://cdn.shopify.com/s/files/1/0437/2194/9335/files/shot_for_me.pdf
    • https://cdn.shopify.com/s/files/1/0438/8293/8520/files/simethicone_davis_drug_guide.pdf
    • https://static.usrfiles.com/ugd/accd1f_67fce79810c2490098c0d16be82eed25.pdf
    • https://static.usrfiles.com/ugd/f46427_67637c0f0cd64851951adc06009a3cef.pdf
    • https://static.usrfiles.com/ugd/be19e1_ecccccee498e4205b257a84a9663c01a.pdf
    • https://static.usrfiles.com/ugd/b8c837_d53c813b39384ea69b22a4bb0eea8fe8.pdf
    • https://static.usrfiles.com/ugd/b8bbd7_a281c054ed774905910fde77463a7c07.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063f6.bin
e305c719c3589e5973ec08071d99f11bb5379713dd4e06b00e85d8963fd3abb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63F6 5268 bytes
font_01_sfnt_off000075b8.bin
879b41211c530f06aac14e752957e6147a8ce1143cf552cd2feec180ac98e372		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75B8 10968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.