Malicious PDF — malware analysis report

Static analysis result for SHA-256 2b8bc72bed3b0a29…

MALICIOUS

PDF

43.0 KB Created: 2020-08-30 05:51:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: afd382eef2f42ffa7d60964ab02c9abe SHA-1: efff3ffcd5caea11fc0ebbe5afc307bbf1d131db SHA-256: 2b8bc72bed3b0a2955385d566c6558b4cc6f5bafa610a1f63e36259218a1cc02
128 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF contains a critical heuristic firing for a malicious redirector link pointing to a "keygen" page, suggesting a lure for potentially unwanted or malicious software. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, some of which are to benign files but others redirect to malicious infrastructure. The presence of a "download button" heuristic further supports the social engineering aspect of this document.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=autocad+2005+keygen
    • https://static.usrfiles.com/ugd/b8c837_cb33a94129224f33a0713f8beccb0603.pdf
    • https://static.usrfiles.com/ugd/49be48_e39ee9b7553a49ebb0cb3402184cc6f2.pdf
    • https://static.usrfiles.com/ugd/b8c837_409c019efa9f4aa28a7a617c0d06b294.pdf
    • https://static.usrfiles.com/ugd/b8c837_de519511f77a4c08a3ccf7fc9737d993.pdf
    • https://static.usrfiles.com/ugd/0049ca_20c7b8efa0bb4fc9b1ebc0687bb4bad1.pdf
    • https://static.usrfiles.com/ugd/b8c837_c73b640a1b314033a10e4d1afbca21dc.pdf
    • https://static.usrfiles.com/ugd/b8c837_54b7dcf7a2be4aa09672ee1cf0f27ae1.pdf
    • https://static.usrfiles.com/ugd/b8c837_acc0d9c00c1646f6ac83b160b2d77bd1.pdf
    • https://static.usrfiles.com/ugd/bdeb4c_3f4793f2e2a844518b5d523df3cbd6f2.pdf
    • https://static.usrfiles.com/ugd/b8c837_9b05c253910c4433b5a6a32592893e7e.pdf
    • https://static.usrfiles.com/ugd/ea2f88_45e09d9c1d5b4b8eb29d5528d2e208b7.pdf
    • https://cdn.shopify.com/s/files/1/0437/8977/9106/files/pozolij.pdf
    • https://cdn.shopify.com/s/files/1/0427/6033/9623/files/fisoperowuvolejovodoliji.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068c8.bin
8665965b36216c4476cacda79e530039e229d6a89553ab594a3e1ab738916fd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68C8 5352 bytes
font_01_sfnt_off00007b1b.bin
fd238bef5496baeb7ca7a4fa0dd36360f2b7132ea7206d3abcfb22364027006c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B1B 10784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.