Malicious PDF — malware analysis report

Static analysis result for SHA-256 904352e6c2872286…

MALICIOUS

PDF

37.7 KB Created: 2020-08-31 13:19:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 85afc9e526a758e9fc7c12f596d9b042 SHA-1: 466635648063426339b7f7a2403afc4fdf7048ba SHA-256: 904352e6c2872286303cf9736ee790cb6587ff26c94bc2ea9827e85de400adc3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing indicating a malicious redirector link. The document body, though heavily obfuscated, contains the same URL. This suggests the primary purpose of the PDF is to lure the user into clicking the malicious link, which is likely part of a phishing or malware distribution scheme.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=just+the+right+shoe+collectors+value+guide+raine
    • https://cdn.shopify.com/s/files/1/0446/4692/4451/files/curriculum_vitae_formato_europeo_compilabile.pdf
    • https://cdn.shopify.com/s/files/1/0432/1103/0683/files/pegipawukemurupexit.pdf
    • https://cdn.shopify.com/s/files/1/0441/3535/0424/files/90297915404.pdf
    • https://static.usrfiles.com/ugd/bb13a2_d4505b9dcea7481bb5f76f7231ee63ed.pdf
    • https://static.usrfiles.com/ugd/b8c837_71f729a6cd084929a663a34438542b81.pdf
    • https://static.usrfiles.com/ugd/469aea_9cc079a3021445789a2602efe3941672.pdf
    • https://cdn.shopify.com/s/files/1/0429/4131/7276/files/bscic_circular_2019.pdf
    • https://cdn.shopify.com/s/files/1/0429/9417/2058/files/leer_caballo_de_troya_2.pdf
    • https://static.usrfiles.com/ugd/b8c837_bae251955a4a456ba1c3626bc52b3e68.pdf
    • https://static.usrfiles.com/ugd/10a4aa_61de1bc7b9384881aa59d84c101f5f46.pdf
    • https://static.usrfiles.com/ugd/b8c837_e334b50ff0814d4296a42551ef71dad4.pdf
    • https://static.usrfiles.com/ugd/b8c837_f9e2b75fe5cf49abb033ac07ce16b3c0.pdf
    • https://static.usrfiles.com/ugd/8ab72e_3c216d7309394607bfec648287c07a71.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000055dc.bin
d841725bc65901b93d1b5dd6aad22422b3cdc62b407ae45ff26973f247bcebfc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55DC 5248 bytes
font_01_sfnt_off000067b8.bin
093c25b3278698719f24e66991f41a75580baffe257971b2d67dd42e2b0de4fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67B8 10076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.