Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c5121012a53e991…

MALICIOUS

PDF

35.6 KB Created: 2020-09-02 10:29:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 626c9b6dac5e9a9b52f59eb6553f48d9 SHA-1: 447f7b94be7a1155407f67ad6cfce92a1fe3b0b7 SHA-256: 8c5121012a53e99154a744123f340582be819f91f71f7c3e936a028547500f5e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm and a specific malicious redirector URL. The document body, though heavily obfuscated, contains text related to a car manual and the malicious URL, suggesting a lure to a phishing or malware distribution site. The heuristic firings confirm the presence of malicious redirector links and a link farm within the PDF.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=audi+a5+sportback+2016+manual
    • https://static.usrfiles.com/ugd/0ebc1f_8cf1522f66fb465b8be35517ae025713.pdf
    • https://static.usrfiles.com/ugd/66c878_1fe341c8caaa40e29dc968cdd4ea3e5c.pdf
    • https://static.usrfiles.com/ugd/253000_341f4ba1d1db4e10b642c66d6e311fd3.pdf
    • https://static.usrfiles.com/ugd/67f5f7_1e32328203e5435a8fe81f2d91da6da7.pdf
    • https://static.usrfiles.com/ugd/850f07_382b7399eaa64cfbb20af0cbd0fa779f.pdf
    • https://static.usrfiles.com/ugd/145364_300c39267e844242ad1a045dfca99227.pdf
    • https://static.usrfiles.com/ugd/11baf9_4fdfcb69b7c34511a4f5f5c3d082b4a0.pdf
    • https://cdn.shopify.com/s/files/1/0437/2067/1384/files/18390024610.pdf
    • https://cdn.shopify.com/s/files/1/0465/3236/2390/files/3998628661.pdf
    • https://cdn.shopify.com/s/files/1/0428/7778/0134/files/buku_surat_yasin_dan_tahlil.pdf
    • https://cdn.shopify.com/s/files/1/0434/3952/1958/files/kabhi_fursat_ho_to_jagdambe_mp3_download.pdf
    • https://cdn.shopify.com/s/files/1/0436/1424/0931/files/unilever_nigeria_plc_annual_report_2020.pdf
    • https://cdn.shopify.com/s/files/1/0434/2690/6264/files/wumenimixojafefexopuv.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004bf3.bin
750bfaa2aaace2cd95507f5703a941d68ace22a24996f016e3a8253d31c35011		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4BF3 6016 bytes
font_01_sfnt_off00006060.bin
4d45a86482df005ccd6a0a3467eb552473b60f4559d376f6163d74fe865b08e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6060 9896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.