Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a5f1cb35245a7b3…

MALICIOUS

PDF

52.3 KB Created: 2020-09-06 04:54:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 63fcc44ede0c0d3ddf37ae6d747d599f SHA-1: c4e53a64f80d60a3ad6f95579443bf02a96cbcf4 SHA-256: 8a5f1cb35245a7b3e9cb9406428bb1ce310c77ebdd7ce5c100bc28d3f15dc397
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with a critical heuristic firing indicating it's a malicious redirector. The document body, though heavily obfuscated, contains text related to 'Magazine publishing business plan templates' and a URL that appears to be a redirector. This suggests the document is designed to trick users into visiting a malicious site, likely for phishing or to download further malware.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=magazine+publishing+business+plan+templates
    • https://static.usrfiles.com/ugd/35dc59_7bc3226b2c594d5cb07c0a29aa9039de.pdf
    • https://static.usrfiles.com/ugd/c79b1c_5a8a062725cd48a3896a443aae564ca2.pdf
    • https://static.usrfiles.com/ugd/f1d680_558371f3aaca4692af34cf57067ba3a9.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/26965864763.pdf
    • https://cdn.shopify.com/s/files/1/0429/3967/8886/files/46330133135.pdf
    • https://static.usrfiles.com/ugd/72b0e7_7795362a09d442d684878f1ebc1b8404.pdf
    • https://static.usrfiles.com/ugd/03dcd4_ec179151e67f4156a9a2843338786b53.pdf
    • https://static.usrfiles.com/ugd/3cb679_f5dcff7446f8485585103b7936f9d2dd.pdf
    • https://static.usrfiles.com/ugd/4ae4db_b09bfa0768424cd480157d09e40b46f5.pdf
    • https://static.usrfiles.com/ugd/a07927_9b8dbdf7ea7244b89a662032313c4382.pdf
    • https://cdn.shopify.com/s/files/1/0435/7727/8623/files/bdo_sorceress_skill_build.pdf
    • https://cdn.shopify.com/s/files/1/0435/2478/4283/files/b_w_p5_wireless_manual.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/33078626275.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008f23.bin
f8d8687f3d06bc2b38d7ceedf3de39284f392c088c64a9bd6ad571008ab1b410		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F23 5332 bytes
font_01_sfnt_off0000a133.bin
ea31e716abbc5ae85c3198c1d70dabfac483ef667c2d1562dc3b9e71b9ec5674		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA133 10248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.