Malicious PDF — malware analysis report

Static analysis result for SHA-256 5461c7fd4386d2ad…

MALICIOUS

PDF

39.9 KB Created: 2020-08-31 08:04:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 63f9554531a4e88dbd8244caecd9dffa SHA-1: f750ff743750950c2da2a072ed17e9145cfee6ab SHA-256: 5461c7fd4386d2adf891bf8cafb5596f7af71e7876d414570db49d7f53ad3a11
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, characteristic of a link farm. One of these links, 'https://ttraff.cc/wix?keyword=ejercicios+complemento+directo+e+ind', is identified as a known malicious redirector. The document body appears to be obfuscated or corrupted, but the presence of numerous links and the malicious redirector strongly suggest a phishing or malicious redirection attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=ejercicios+complemento+directo+e+ind
    • https://cdn.shopify.com/s/files/1/0440/0565/4686/files/gezufukovoxilumiligowun.pdf
    • https://cdn.shopify.com/s/files/1/0431/9841/5010/files/ratekepivelidazorugazaxen.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/98629167596.pdf
    • https://static.usrfiles.com/ugd/4dd980_caa08b99be004b8c8b8d84f432ae3031.pdf
    • https://static.usrfiles.com/ugd/37428b_f8ba99880c3e425c97dd998a58425f1e.pdf
    • https://static.usrfiles.com/ugd/eed56f_1927b7da7cd1488c95fa13e9bcc42661.pdf
    • https://static.usrfiles.com/ugd/868401_11ef6f2e872548aab9a39a6b7f6c6553.pdf
    • https://static.usrfiles.com/ugd/575363_4842fe980a9344aeb2434357ba61509f.pdf
    • https://static.usrfiles.com/ugd/2e16aa_36492180c47d4163ad8303643ca22103.pdf
    • https://static.usrfiles.com/ugd/b916f4_6d3b348d86524554a8f5b784122a43bc.pdf
    • https://static.usrfiles.com/ugd/80c1db_c19cf269344348e481d1437c53157195.pdf
    • https://static.usrfiles.com/ugd/b8c837_a4c5e787f2bd47cd926fb14535470c8c.pdf
    • https://static.usrfiles.com/ugd/b8c837_8fa5795d21ce46f8bf8cc707165168e1.pdf
    • https://static.usrfiles.com/ugd/a382ee_231277e624ce41f69bd14fae314db837.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ce1.bin
a5095b595403fe7076ffae0747a84cc50f8adc54eb51dd5559a2828a85488b74		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CE1 5044 bytes
font_01_sfnt_off00006df8.bin
79b430e00e151637e2c68bb3fd72fbdbee39e48a09a6badfd3df43d82fff054a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DF8 10892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.