Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f09aea4acdf3e2b…

MALICIOUS

PDF

48.6 KB Created: 2020-09-01 07:32:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 74cf7b901e3be08b1e8cc499b1e326cb SHA-1: 384aa3fce51ef5beeb21358dbaa6a8226c4016bc SHA-256: 2f09aea4acdf3e2b5a4f2433a8685798666e808efcf9f7167510c4d5e9541a54
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains a URL that points to a known malicious redirector. This suggests the primary goal is to redirect the user to a potentially harmful website.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=all+fifth+harmony+songs
    • https://static.usrfiles.com/ugd/81d6a4_84cae2afe3d74f9e8f32c823286ef40d.pdf
    • https://static.usrfiles.com/ugd/b28561_18955f70a64841109e83da643ff02032.pdf
    • https://static.usrfiles.com/ugd/bb13a2_3b7cb8f01a5f4afd929ad7f79f514089.pdf
    • https://static.usrfiles.com/ugd/764aaa_f43d717e41354e2ba0fd39e6a7365d5a.pdf
    • https://static.usrfiles.com/ugd/b8c837_421e14b7ca234560853dc5bebd232cee.pdf
    • https://cdn.shopify.com/s/files/1/0429/2358/9791/files/gedepofesoxufir.pdf
    • https://cdn.shopify.com/s/files/1/0433/5026/1911/files/robibimitejoteba.pdf
    • https://cdn.shopify.com/s/files/1/0431/0820/4704/files/10995212928.pdf
    • https://cdn.shopify.com/s/files/1/0433/4796/8149/files/totazapamasak.pdf
    • https://cdn.shopify.com/s/files/1/0432/7938/4744/files/zetusa.pdf
    • https://static.usrfiles.com/ugd/225520_cb40056c34b94e7889586a86a0dede37.pdf
    • https://static.usrfiles.com/ugd/dc8a8e_d1d867ee954348c18904035eabb8ca4c.pdf
    • https://static.usrfiles.com/ugd/cafc24_8288289b84a64f4fad84b833e7b0e39f.pdf
    • https://static.usrfiles.com/ugd/4725f1_583f0d4f33f849b49cbc08a471876924.pdf
    • https://static.usrfiles.com/ugd/33a16d_4aa2b587803c4d48b0bf574d9894f6f6.pdf
    • https://static.usrfiles.com/ugd/5fd5c1_c2176cf4ac3c4584a517907b6e2f89d1.pdf
    • https://static.usrfiles.com/ugd/e4a001_86a66664e2ac4d3c9e16cf446bb6f96e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008096.bin
882f70122dd9d281f2cd84dd7bf89aeb7d881bf5686ce152fe04b534dbc57c1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8096 5272 bytes
font_01_sfnt_off00009268.bin
38afac43017df15ac102479f405adc77b0a782345ed8b4e0cf411b0034e7baba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9268 10164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.