Malicious PDF — malware analysis report

Static analysis result for SHA-256 92aa4474416e9b7c…

MALICIOUS

PDF

45.9 KB Created: 2020-09-07 19:39:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 54276493ffaee7edc4d69b715a7131fa SHA-1: b320d1343d33a5f41a76d8b7ee0b7278af95cc2e SHA-256: 92aa4474416e9b7c553afc3aec90f30a0a66bb5621b38baffdb534f51ecf3ceb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to a URL that appears to be a lure for 'indesign templates free book'. This link is embedded within the document body, suggesting a social engineering attempt to trick users into clicking it. The PDF also contains a large number of external links, characteristic of a link farm, further supporting the malicious intent. No scripts were extracted, but the primary attack vector appears to be the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=indesign+templates+free+book
    • https://cdn.shopify.com/s/files/1/0436/4782/8133/files/kuxufuxonefilix.pdf
    • https://cdn.shopify.com/s/files/1/0437/6471/1575/files/mazindol_2_mg.pdf
    • https://cdn.shopify.com/s/files/1/0428/2620/3302/files/platform_ajay_devgan_ka_video_mein_film.pdf
    • https://static.usrfiles.com/ugd/d13e1f_4eca960e669143b79dabeceefb03a9df.pdf
    • https://static.usrfiles.com/ugd/b8c837_1d9d6dc979fe4e8493946f2e5b0cc57e.pdf
    • https://static.usrfiles.com/ugd/40b9e6_0276043465b24f428f63ddc37ebc0c07.pdf
    • https://static.usrfiles.com/ugd/a18aa6_a8d1720ff0994245bff37bdfb7a82682.pdf
    • https://static.usrfiles.com/ugd/b41a9a_f151fd288ad34aa39d85b31f4aade534.pdf
    • https://static.usrfiles.com/ugd/9b5f63_b544af170d434d058c296dc41053259b.pdf
    • https://static.usrfiles.com/ugd/e5412a_255e7d69011744e48eacad01c71a89e1.pdf
    • https://static.usrfiles.com/ugd/808d8c_b43b4a1f27eb4f5ea3a7e00e46d32a4b.pdf
    • https://static.usrfiles.com/ugd/d5415a_2c3d7f9bc4e24867817196a331dc8573.pdf
    • https://static.usrfiles.com/ugd/fac845_5e2fc19915504ee5b316a7751a0340c8.pdf
    • https://static.usrfiles.com/ugd/f8de3e_0f0314da84ca44c693ee2ce4889322d7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007461.bin
b695a53c653617bca4d4d2ee5f7f6030f486a626cc3d5c049ce922a7f2d5c663		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7461 5500 bytes
font_01_sfnt_off000086fe.bin
91bc5b29d069b8fbd5ff4d0939ce62b73de2d1cc78932fc1453302ffd2104b33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86FE 10548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.