Malicious PDF — malware analysis report

Static analysis result for SHA-256 95c9202dffa81a9f…

MALICIOUS

PDF

60.3 KB Created: 2020-09-17 06:27:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 017d861d885199aea168fa5b397062d5 SHA-1: 5a699a9a0c111aa9203db967c9646f354139bdbd SHA-256: 95c9202dffa81a9f2189c8217bf0395de1fdcab3bf5e70a853d52091360f6671
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass of external links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text that suggests a lure, possibly related to a 'voyage of the dawn treader script pdf'. The presence of numerous PDF links and a malicious redirector indicates a likely attempt to drive traffic to malicious sites, potentially for phishing or malware distribution.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=voyage+of+the+dawn+treader+script+pdf
    • http://fukosanoj.kauaimusiceducation.org/uploads/1/3/0/7/130739664/lowozokawiselajo.pdf
    • http://files.boydcomics.com/uploads/1/3/1/3/131380814/janubukuxakogik.pdf
    • http://mamivawev.perrywinkler.com/uploads/1/3/1/0/131070109/4587415399e.pdf
    • http://podababoj.grapholistic.com/uploads/1/3/0/7/130775835/sulumokikinobu.pdf
    • http://fugawix.fourseasonsrentalequipment.com/uploads/1/3/0/8/130874104/7752515.pdf
    • http://files.goodcharamel.com/uploads/1/3/2/6/132695455/dededazabiruk-wunanijawede-kepumaxefizira.pdf
    • http://jekowixin.1stclasshomeopathy.com/uploads/1/3/0/7/130739922/8974536.pdf
    • https://86dfe4bf-e8f9-441f-80d0-2e0f8dc4e3f5.filesusr.com/ugd/d775a9_f4a3aea5ca4f40aea6643683f3877a1c.pdf?index=true
    • https://8cdb9ce0-b9a3-4766-b7fc-3a935679c8c6.filesusr.com/ugd/ee6100_96206139080e44f5bf231cf1769ddb32.pdf?index=true
    • https://83a049b6-1205-4e4d-8618-b973a37055b3.filesusr.com/ugd/804ff6_2520d45dc3ed4d81be1fde056d71db57.pdf?index=true
    • https://fd670e83-64cf-49b6-a11a-170cef5c5743.filesusr.com/ugd/dad90e_caeb67b9dd2546bd8ad5b6d4baa16c8c.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ae76.bin
f44ddf0791ba8acc264400e8543b04cba1e7c6c166fdce17d08cd94ab1da9742		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAE76 5544 bytes
font_01_sfnt_off0000c16f.bin
89f286b154c45e160c226e75f88f164acd1f0d2690ae56e724352c7e77d007f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC16F 10140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.