Malicious PDF — malware analysis report

Static analysis result for SHA-256 86c145ba8c5a2787…

MALICIOUS

PDF

45.4 KB Created: 2020-09-28 18:28:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 528eaab97f011bf39b4a96aa1f745b31 SHA-1: d05dc5cd6436a43173c4339c0ab79d08e275adda SHA-256: 86c145ba8c5a2787a96462a64ea11c8f83c262bcbbe572601fa3732bf63986aa
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, identified as a link farm, which are likely used for SEO poisoning to lure unsuspecting users to malicious sites. One of the primary links redirects to `https://cctraff.ru/mozel?keyword=pdf+analisi+logica+tabella+sui+complementi`, which is flagged as malicious redirector infrastructure. The document body itself is heavily obfuscated and contains many of these links, reinforcing the malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/mozel?keyword=pdf+analisi+logica+tabella+sui+complementi
    • http://files.earthlycreations.shop/uploads/1/3/0/7/130739088/427732.pdf
    • http://wipet.kandtgurlygurlz.com/uploads/1/3/1/4/131438577/sibejovo.pdf
    • http://files.thepaintspotinc.com/uploads/1/3/2/8/132814906/6254316.pdf
    • http://files.luvmilk.com/uploads/1/3/1/3/131398010/aa0fa.pdf
    • http://files.rajahmaples.com/uploads/1/3/1/3/131397971/fa178c.pdf
    • http://files.tdcfamilylaw.com/uploads/1/3/1/4/131483662/6938921.pdf
    • http://files.rachelsilvert.com/uploads/1/3/1/4/131454560/054425c1be96c9.pdf
    • http://kabefe.thevagrancy.com/uploads/1/3/0/7/130776138/mabebojepubiwef_joropav.pdf
    • http://xiwep.jasfinsecurity.com/uploads/1/3/2/7/132741508/masonamazamevog.pdf
    • http://files.pristineyc.com/uploads/1/3/1/4/131438759/jokuwipiwixur.pdf
    • http://files.ujimainstitute.com/uploads/1/3/2/7/132740536/ripuredu.pdf
    • https://site-1036929.mozfiles.com/files/1036929/folifiliwuliradozebusax.pdf
    • https://site-1036807.mozfiles.com/files/1036807/46219018714.pdf
    • https://site-1036826.mozfiles.com/files/1036826/perunonalovijozi.pdf
    • https://site-1036962.mozfiles.com/files/1036962/fegujonetadofiboros.pdf
    • https://site-1036917.mozfiles.com/files/1036917/72580195816.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ff5.bin
9e48083a30debfac088c7254ad6815be57d11e104ce65f9ee5700db6c7a72067		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FF5 5520 bytes
font_01_sfnt_off000082b0.bin
3c559283801f46353c4fc832fa098801d7157c6c63b0b8920f76d3555db08f06		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82B0 11124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.