Malicious PDF — malware analysis report

Static analysis result for SHA-256 55e7fb71495ecc14…

MALICIOUS

PDF

45.4 KB Created: 2020-09-01 07:56:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b17fd1e2c365aec7ee4b0089651600cd SHA-1: a6a981ea1ecf8a6e884f8ee7d03edd6966d688a2 SHA-256: 55e7fb71495ecc14400868cb3d753cbd8d4acad4cca2bc9e39e05c5460e5081c
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, which points to a URL that is part of a link farm. The document body contains obfuscated text and a visible URL that matches the malicious redirector. This suggests the document is designed to trick the user into clicking the link, likely to download further malware or redirect to a phishing site.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=android+x86+virtualbox+change+resolution
    • https://static.usrfiles.c
    • https://static.usrfiles.com/ugd/b8c837_2c28722ba0fb4ef7952034c59dc9e030.pdf
    • https://static.usrfiles.com/ugd/cf14a4_1ba8db35fb8644238f2ad155f61e0e3e.pdf
    • https://static.usrfiles.com/ugd/9904c2_d8b40d7b2654441d85c7dd23323af97b.pdf
    • https://static.usrfiles.com/ugd/ab059d_ff866c3f7ea74dc3b302b01c3cc284be.pdf
    • https://static.usrfiles.com/ugd/b8c837_efe0bebcd7ca4b66b6a6a48b5e74581f.pdf
    • https://static.usrfiles.com/ugd/b8c837_55d9617a8c86423a9f1b3d48f3c18a84.pdf
    • https://static.usrfiles.com/ugd/73c254_65e5b8dc1d72457d972af52935e18ba5.pdf
    • https://cdn.shopify.com/s/files/1/0431/5892/9570/files/exemple_de_cahier_des_charges_d_un_produit.pdf
    • https://cdn.shopify.com/s/files/1/0430/2913/5521/files/93162285682.pdf
    • https://cdn.shopify.com/s/files/1/0436/4324/0606/files/basement_parking_plan.pdf
    • https://static.usrfiles.com/ugd/db93e9_7b43ffdf71054dca8421458a52f6450d.pdf
    • https://static.usrfiles.com/ugd/b8c837_faef296725b646e9883756a4ebd6396b.pdf
    • https://static.usrfiles.com/ugd/b42fd6_58b5158b7b354d9a899ef7c9c5ee4cd4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007072.bin
8b5fddbdf99af68f867847a376787f59577bcfc5e2dea54fa9e3c2af778027be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7072 5804 bytes
font_01_sfnt_off00008434.bin
087aa87edf7bd94fff041a24a48f59c0d0e2fa3a5bdbda803a82e6a5d9ee725c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8434 10540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.