Malicious PDF — malware analysis report

Static analysis result for SHA-256 53084f49f2eec34b…

MALICIOUS

PDF

38.6 KB Created: 2020-08-31 18:04:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 59687436c89c87ea75b65537d80decd1 SHA-1: 00db9104e87f887d6d99c0826dda6f4e4dbbd41d SHA-256: 53084f49f2eec34b2675beb7a4ed8499ab494c7f80b87aadc720408aa0fe4320
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm and a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains text referencing a 'safety data sheet' and includes the malicious URL. This suggests a phishing attempt to redirect users to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=karndean+adhesive+safety+data+sheet
    • https://cdn.shopify.com/s/files/1/0432/0978/5512/files/13255479075.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/viruxirekosarobavogerij.pdf
    • https://cdn.shopify.com/s/files/1/0432/0546/0125/files/acura_carplay_android.pdf
    • https://static.usrfiles.com/ugd/b8c837_1b0dcf6e002d4b3ea29d441e04dc2743.pdf
    • https://static.usrfiles.com/ugd/2e16aa_7f1951ce4cd749a1861c5d6b292986a6.pdf
    • https://static.usrfiles.com/ugd/bf650e_d600182ef61342bd810a5df7b2a5685c.pdf
    • https://static.usrfiles.com/ugd/b8c837_e457ef8d9ca54f368d538eec07eb97c9.pdf
    • https://static.usrfiles.com/ugd/234f58_d3c67ca48d384f29a688f14bb57534f6.pdf
    • https://static.usrfiles.com/ugd/32acb1_e8765a67dbad44d79ce525e8e9fd7e2f.pdf
    • https://static.usrfiles.com/ugd/77eba6_cd1161f8d98e490fa43c917e7e616c71.pdf
    • https://static.usrfiles.com/ugd/b8c837_9e66fdcf727c4596b36f7747d3006f46.pdf
    • https://static.usrfiles.com/ugd/b8c837_1f3231aef4ee41f991438e683adcb6bc.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005765.bin
2bc052aca799a3daf05c2095f59c116f6124d9e6b9e0d6d108c9e3ec6a425465		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5765 5096 bytes
font_01_sfnt_off000068c4.bin
488ae1fb5c3eeb21e333b6ce30df63e3e0b4e912cc4e4f1301d155d573ff9f01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68C4 11284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.