Malicious PDF — malware analysis report

Static analysis result for SHA-256 4bc5419a14d9d66b…

MALICIOUS

PDF

45.1 KB Created: 2020-09-19 15:09:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 656bfe915d218c7c410780977d11d41f SHA-1: 26b22df7164a6c353b90218aba85a5dc8a42ed03 SHA-256: 4bc5419a14d9d66b925ffac1eb65738f96fe661903e3c7dbd08cf8eddea431f9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file was identified as malicious due to the presence of numerous embedded links. One critical heuristic firing indicates a PDF_MALICIOUS_REDIRECTOR_LINK, pointing to 'https://ttraff.me/wix?keyword=ogata+korin+red+and+white+plum+blossoms', suggesting a redirection to a malicious site. Another critical heuristic, PDF_SEO_LINK_FARM, confirms a mass of external PDF links, with 'http://gaguxamep.fleurspressed.com/uploads/1/3/2/6/132696067/4703236.pdf' being the first listed. These findings strongly suggest the document's purpose is to host a link farm for SEO manipulation or to redirect users to harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=ogata+korin+red+and+white+plum+blossoms
    • http://gaguxamep.fleurspressed.com/uploads/1/3/2/6/132696067/4703236.pdf
    • http://files.colton-craig.com/uploads/1/3/0/7/130776336/mapadukapivumuliwog.pdf
    • http://ladinu.srinivasiyer.net/uploads/1/3/0/7/130739906/4482563.pdf
    • http://files.thesilkfamilyproject.com/uploads/1/3/1/4/131437740/livig.pdf
    • http://tuzetivov.leachfamilyfarms.com/uploads/1/3/0/8/130874384/pamugedukir_baxekegidob.pdf
    • https://971e3c80-15b9-4521-8004-d47cd37e070b.filesusr.com/ugd/95ea6b_aacf6a20e4394b01b60fa754f2f6b1a1.pdf?index=true
    • https://2fc650d7-d4a2-476a-b738-2590296e4968.filesusr.com/ugd/628a76_a20dfaf8fa2749ec8c6af553c955658e.pdf?index=true
    • https://45209714-5439-4e48-a8f8-9c56c6090d53.filesusr.com/ugd/111c46_0450efc85018413d90ddaeb08e732447.pdf?index=true
    • https://d939dcd7-22fb-40da-9fad-a74316655a58.filesusr.com/ugd/53c654_6e53f001e63b46ffa523bc37225931a2.pdf?index=true
    • https://2db69655-d7a3-4192-bf91-8838afa20c15.filesusr.com/ugd/b1b16e_79a49e86418b4972ba37969db6818a93.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0431/9336/8725/files/xenijawut.pdf
    • https://cdn.shopify.com/s/files/1/0428/9386/9212/files/pakawonelogenupoxarisusoz.pdf
    • https://cdn.shopify.com/s/files/1/0433/0648/3876/files/proper_risk_management_forex.pdf
    • https://cdn.shopify.com/s/files/1/0429/2273/7830/files/33535129155.pdf
    • https://cdn.shopify.com/s/files/1/0434/5479/1832/files/dfa_passport_application_form_2020.pdf
    • https://cdn.shopify.com/s/files/1/0448/2249/5389/files/ngo_bylaws_in_english.pdf
    • https://cdn.shopify.com/s/files/1/0440/2338/2174/files/learn_japanese_language_through_english.pdf
    • https://cdn.shopify.com/s/files/1/0430/7383/1072/files/leyes_de_exponentes_ejercicios_resueltos.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006427.bin
ec09bcdb1aa46c2cca68688d9cce1a8ac46e07965ee9bf92cb4925eeb47a2a17		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6427 5576 bytes
font_01_sfnt_off000076f4.bin
978934397083425f713698d57034e6831137e46be82b46e4201d49701f1eb4e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76F4 10004 bytes
font_02_sfnt_off000098fa.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98FA 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.