Malicious PDF — malware analysis report

Static analysis result for SHA-256 43f22d6b69a17abd…

MALICIOUS

PDF

48.3 KB Created: 2020-08-30 09:51:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7a51ce7140d2d84294ead7b1b857b3e1 SHA-1: 100cfb93393fa2486ba29eafc0b2c2b9a805db76 SHA-256: 43f22d6b69a17abd9d21578820d76265558c5826c84584099ec81663b0bec9be
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to a redirector URL. The primary heuristic indicates a malicious redirector link, suggesting an attempt to lure users to a harmful site. The document body, though heavily obfuscated, contains the malicious URL. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=tuesday+siesta+summary
    • https://cdn.shopify.com/s/files/1/0429/8581/6218/files/delegation_of_parental_authority_form_michigan.pdf
    • https://cdn.shopify.com/s/files/1/0439/7511/4910/files/application_of_vsepr_theory.pdf
    • https://cdn.shopify.com/s/files/1/0431/4431/5040/files/europass_cv_greek_template.pdf
    • https://cdn.shopify.com/s/files/1/0433/0009/4112/files/74831371868.pdf
    • https://cdn.shopify.com/s/files/1/0431/7026/7300/files/vojomuz.pdf
    • https://static.usrfiles.com/ugd/b8c837_a6c34eea607d423bbeb400693806f6c4.pdf
    • https://static.usrfiles.com/ugd/b8c837_bedd59bc3608430b8d6daa71dfe55e40.pdf
    • https://static.usrfiles.com/ugd/b8c837_29761a4f13a847ff9d8959fd0521ee1f.pdf
    • https://static.usrfiles.com/ugd/b8c837_aa5b7d089cdb4cbb8be8d603ec76784e.pdf
    • https://static.usrfiles.com/ugd/45fd81_e2daf47abea04b40aa3016a120214a62.pdf
    • https://static.usrfiles.com/ugd/0f5b72_52f37904cc5044e9a58236af8cd2b24c.pdf
    • https://static.usrfiles.com/ugd/1849a1_fa549e3d358648fb9aec56e2e6dfc6f4.pdf
    • https://static.usrfiles.com/ugd/585b1d_ee81c6383c7444929d38cd2e53b16f9e.pdf
    • https://static.usrfiles.com/ugd/3e9e83_e829816139514e7aaddafa5928bf736d.pdf
    • https://static.usrfiles.com/ugd/b8c837_46201d8eba5c486faf7cc6226747510c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007848.bin
a75d6844e72c8ae12a4845855b254b83837eac13a758c57be15e800925a201fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7848 4992 bytes
font_01_sfnt_off0000892f.bin
41c2c3beed577a5e54b360e25ae4fe627ad28f7b72e6bc4134f7299d112f2c9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x892F 13948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.