Malicious PDF — malware analysis report

Static analysis result for SHA-256 7783f08918b2ad4e…

MALICIOUS

PDF

60.7 KB Created: 2020-08-29 11:40:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6439d9bb0f166c5a2398ccfa37b57253 SHA-1: dcbb4757b3a1b9a37abd8d12b415df5a2dd942c7 SHA-256: 7783f08918b2ad4edbf10df24df0aaca39f5c3c3cb45210aeefb65df5188ec17
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous links, including one that redirects to known malicious infrastructure. The document body, though heavily obfuscated, contains text related to a 'Bengali calendar 1426 pdf' and the malicious URL. This suggests a social engineering tactic to trick users into clicking the link, which likely leads to further malware delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=bengali+calendar+1426+pdf
    • https://static.usrfiles.com/ugd/b8c837_9947050d62384407bd39a6aeef7e5bc2.pdf
    • https://static.usrfiles.com/ugd/b8c837_e7f2821b128948499859d5dc8850d0dc.pdf
    • https://static.usrfiles.com/ugd/b8c837_84029edf1b3a45da88a7fd3f60b5ca77.pdf
    • https://static.usrfiles.com/ugd/b8c837_88218eff24bf439d88857ad7bd5bbd51.pdf
    • https://static.usrfiles.com/ugd/b8c837_c45b466862d24e3e9a3067ae7ffe2457.pdf
    • https://static.usrfiles.com/ugd/b8c837_b47c0721ac234d118d943dcd9daec2fc.pdf
    • https://static.usrfiles.com/ugd/b8c837_2834814971b8414ca577aa28b115deb1.pdf
    • https://static.usrfiles.com/ugd/b8c837_5a72c0dbd08049159532716359c511d1.pdf
    • https://static.usrfiles.com/ugd/b8c837_a280cedc3c0c4f8897d8e171bd0774a9.pdf
    • https://static.usrfiles.com/ugd/b8c837_a52c3384528c42f8ad4560c85f05aa5e.pdf
    • https://static.usrfiles.com/ugd/b8c837_6bbe7b0b87044de9a6d8e13954698cf6.pdf
    • https://static.usrfiles.com/ugd/b8c837_de08946a9d27462793c77bec0e9c467d.pdf
    • https://static.usrfiles.com/ugd/b8c837_aeddb19347b04e68bcea4855b5baf55f.pdf
    • https://static.usrfiles.com/ugd/b8c837_b111bcfe82c842a28e11f9337c50e9df.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008299.bin
15510640c665e0ff97748d42ae020c1769dd0901cabfae6f0595c15b0e414787		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8299 5620 bytes
font_01_sfnt_off000095ca.bin
d9705be924bd2f9349cc4179dacacef0095b9eea7ea0cb1fb001baa982613000		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95CA 10804 bytes
font_02_sfnt_off0000b8ae.bin
0421752d948305a013ad9e11803a2c7da61a5d6ff95ec3b58298113ece587383		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB8AE 14508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.