Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a5418eeb848e02a…

MALICIOUS

PDF

45.4 KB Created: 2020-09-17 18:48:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b3e1853c81e56d644ef8188252607ebb SHA-1: 7c3cf305a2afe50ec155dca9b043f058fd793a96 SHA-256: 4a5418eeb848e02a353455bc05058ab19988c917d2adf0c20a87c783e68882fe
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains multiple embedded links, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains a URL that matches one of the high-risk IOCs. The 'SE_PAYMENT_REDIRECT_LURE' heuristic strongly suggests a business email compromise tactic, aiming to trick users into initiating fraudulent transactions by impersonating a trusted entity. The presence of numerous links points to a link farm strategy to obscure the ultimate malicious destination.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=cake+jewelry+rings
    • http://files.cherokeecountydemocraticparty.com/uploads/1/3/0/8/130813428/9530187.pdf
    • http://zojanop.dedethford.com/uploads/1/3/1/4/131410399/444bc6cce2.pdf
    • http://files.oldgraycatherbs.com/uploads/1/3/0/7/130739315/4702522.pdf
    • https://d74abd65-fc05-49bd-8650-c091f6b1b3fa.filesusr.com/ugd/bb05c1_d92a7a16a75a4666bc4126b47b802dd9.pdf?index=true
    • https://1fd1e46d-7e27-4981-8a6e-81f7f7feb1ab.filesusr.com/ugd/f1780b_ea2d04bf26524c758be65ef2745fe9e0.pdf?index=true
    • https://e4cc0879-e457-4fa6-bd33-3d2c1624bc6c.filesusr.com/ugd/b16523_49d8083f67a7401fa52e448abde98477.pdf?index=true
    • https://52a7ce01-ae29-4c18-b175-579fed504153.filesusr.com/ugd/45fd81_8b29931f02ac44f0a1081a72d3d60b14.pdf?index=true
    • https://aa1ccb79-b24b-471b-8760-d221624aeb6d.filesusr.com/ugd/6116da_81175d25e56d424aa83a3486be0ea002.pdf?index=true
    • https://6e9d004e-55df-445b-af38-5c47361f8be2.filesusr.com/ugd/405339_8fef814695294250b054b0db4a939fff.pdf?index=true
    • https://043aa97c-93b9-4d7d-8532-6c305a204e05.filesusr.com/ugd/49be48_52909375cd88427aa67dc886075d89a2.pdf?index=true
    • https://ec8c1ecb-4c87-4807-b1dd-65a90b869df1.filesusr.com/ugd/89064d_10709abdd53f4e83b4b3013590ee4609.pdf?index=true
    • https://76ba23c4-93f1-42a5-8325-afbc3800d409.filesusr.com/ugd/7be1cd_0ae9cd072c8742d0a97c088d440caa36.pdf?index=true
    • https://135549bc-8547-47ea-b00c-fa4a6d92cc8c.filesusr.com/ugd/ac8c68_2a79b1975c2743a3a4b2c044a769ac77.pdf?index=true
    • https://c3f6511b-3e75-4793-9885-912133d1ffd9.filesusr.com/ugd/fd3290_c1e514f5832646ae98166bfe6dbd6f01.pdf?index=true
    • https://4bc4cac0-358d-49ea-95d4-ec2754a78240.filesusr.com/ugd/3a38e0_aa687bf2dfcd462ea7cbb8f161735e37.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://c3f6511b-3e75-4793-9885-912133d1ffd9.filesusr.com/ugd/fd3290_c1e514f5832646ae98166bfe6dbd6f01.pdf

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066fd.bin
45df1d9ef46a7dfa78dab8a6b7293088561d5238404ede63b4020bb63e8474b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66FD 4808 bytes
font_01_sfnt_off0000776d.bin
aec4f832a738951ff02fb08b167875a85c2505c139a226a585fd31bad4cd234f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x776D 10288 bytes
font_02_sfnt_off00009aae.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9AAE 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.