Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b792c3ba4622325…

MALICIOUS

PDF

43.6 KB Created: 2020-08-29 23:44:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bcfa589483c1151fdf3259d6a412373a SHA-1: 396895c2bcffb9d98267e5605dd24a12c315977b SHA-256: 4b792c3ba46223257028034a05ddd21006584e2ef5545c510b84eb57171e26d3
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a link to a known malicious redirector, disguised as a CCleaner download. It also includes a large number of links to other PDFs hosted on Shopify, likely part of a link farm for SEO manipulation. Crucially, the document explicitly instructs the user to disable security software, a common tactic to facilitate further malicious activity. No scripts were extracted, but the combination of the malicious redirector and the security bypass instruction strongly suggests an attempt to deliver a secondary payload.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=descargar+ccleaner+full
    • https://cdn.shopify.com/s/files/1/0435/2134/3647/files/zezedido.pdf
    • https://cdn.shopify.com/s/files/1/0437/3400/7973/files/14797964172.pdf
    • https://cdn.shopify.com/s/files/1/0432/0939/2285/files/junevaxurevufusofe.pdf
    • https://cdn.shopify.com/s/files/1/0429/7592/0282/files/ccna_routing_and_switching_complete_study_guide_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/5806/0703/files/incorrect_charge_off_on_credit_report.pdf
    • https://cdn.shopify.com/s/files/1/0448/1312/3744/files/texto_argumentativo.pdf
    • https://cdn.shopify.com/s/files/1/0459/9139/5485/files/absceso_amebiano_hepatico.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/puliwaxaj.pdf
    • https://cdn.shopify.com/s/files/1/0431/5293/3019/files/35917832186.pdf
    • https://cdn.shopify.com/s/files/1/0433/6356/5718/files/91849778782.pdf
    • https://cdn.shopify.com/s/files/1/0431/4365/9677/files/ghatna_chakra_science_in_english.pdf
    • https://static.usrfiles.com/ugd/b8c837_f4b4e6ad63e74aae84127cfbd282512b.pdf
    • https://static.usrfiles.com/ugd/b8c837_656e513a77274f1c97b5d609382164e4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d8f.bin
9f7cb529b260108f84e0bd455efdc37ba58ca2dbc994daa8ea7df06fc9daceba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D8F 5048 bytes
font_01_sfnt_off00007ecd.bin
26f58be02ce868381fb823b8c14c3d434c93e48848674b3eff3b7a8ae38d5145		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7ECD 10344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.