Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f373318e13ff030…

MALICIOUS

PDF

42.9 KB Created: 2020-09-14 07:41:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 30f5c16d68f0866164ad88bf715297da SHA-1: a2468dbd051402d58462c2624d28a5095c58c515 SHA-256: 8f373318e13ff0303e5af9ab790bf1378e7a0b9e119c799f5af62e95ad1dd732
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, which is further supported by the document body containing a lure for a 'practical guide to dragons pdf download' that points to a suspicious URL. The document also exhibits a 'Browser extension / update installation lure' heuristic, indicating a social engineering attempt to trick the user into installing malicious software or providing credentials. The embedded URLs suggest a link farm designed to distribute malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=a+practical+guide+to+dragons+pdf+download
    • http://gewoxox.odomengineering.com/uploads/1/3/1/6/131606165/964431065a.pdf
    • http://buriv.stmarysnsthreemilehouse.com/uploads/1/3/1/3/131384169/9152275.pdf
    • http://files.andrewmoschetti.com/uploads/1/3/1/4/131453252/getonesolonum.pdf
    • https://static.usrfiles.com/ugd/808d8c_1298a68989d642d1b7c49cca6aa6ae26.pdf
    • https://static.usrfiles.com/ugd/f5a024_0bcc387455004aaaa9575570c5dc1b50.pdf
    • https://static.usrfiles.com/ugd/e3c460_800ebced25854519aec423a2ee148ccb.pdf
    • https://static.usrfiles.com/ugd/8c0e65_4b94943cbd264c9d91407ccafd2e7517.pdf
    • https://static.usrfiles.com/ugd/b7ab08_b0d388ac60e544eaa0730cb87d6c6de0.pdf
    • https://static.usrfiles.com/ugd/9b7d8a_d2f8af785e9146e18f2f9f5acf1ef54e.pdf
    • https://static.usrfiles.com/ugd/6c313a_1dc5ae7da2d54c94ad1366252c96c217.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000059a2.bin
80387066887462ba84544bfd334a1b372cd8db8b7a20acd1549ae979d03aa5d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59A2 5284 bytes
font_01_sfnt_off00006bae.bin
8a35641899c56987b813dfa47ac0c3a675684feb6631f7f5171c77c5e6cee0f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BAE 10932 bytes
font_02_sfnt_off000090d1.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90D1 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.