Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ce42d7c0660e75b…

MALICIOUS

PDF

37.1 KB Created: 2020-09-01 20:45:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6015f9bc385dd2daba790ad51435089d SHA-1: 15b4d0390238b4fcece5f6f875866e0cc5130b0e SHA-256: 9ce42d7c0660e75b1ee5b0cc7cfa52ec6177cf7081d1fc0fc90fa8c4b0ac5538
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with a critical heuristic firing indicating a PDF link farm. One of the primary links directs to a known malicious redirector. The document body, though heavily obfuscated, contains the same URL as the primary malicious link, suggesting an attempt to lure users to malicious content through a link farm.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=chromolith+performance+rp+18e+merck
    • https://static.usrfiles.com/ugd/b8c837_f473a4c9cbd24e5c98d85ae586332a7d.pdf
    • https://static.usrfiles.com/ugd/b8c837_05c51dcbf4d74074a459d27da6beca0b.pdf
    • https://static.usrfiles.com/ugd/824332_1870db461c6645dea69ab3b71c079912.pdf
    • https://cdn.shopify.com/s/files/1/0437/6307/3181/files/79963783181.pdf
    • https://cdn.shopify.com/s/files/1/0434/1907/4716/files/zosaxaxobixinokikemajot.pdf
    • https://cdn.shopify.com/s/files/1/0432/3069/1496/files/nivorirogexewogeba.pdf
    • https://cdn.shopify.com/s/files/1/0437/6517/0334/files/gidatevitur.pdf
    • https://cdn.shopify.com/s/files/1/0434/4764/8412/files/zajufavofomusila.pdf
    • https://static.usrfiles.com/ugd/3ceeb9_7c127704349b4bf59d9462eaeeb283b9.pdf
    • https://static.usrfiles.com/ugd/739437_cf4466260cda4c4593554d3934f497fc.pdf
    • https://static.usrfiles.com/ugd/12dc78_f638bdf1207747148f6329065bf7b899.pdf
    • https://static.usrfiles.com/ugd/b8c837_de1340f1607743f594209bed08f197e5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000045b0.bin
d0cbd741b3a1ab6038ccfdd364acb4b4d955b4618f85e689e8a1f026ec1ecc1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x45B0 3288 bytes
font_01_sfnt_off00005174.bin
1bd2004ed5d8a4b09c3b38c6c010a32b586c32e781adfa3f97aa3ef7dedd388b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5174 5292 bytes
font_02_sfnt_off0000634d.bin
9a43caf110305618b242b7da2bca1e41f69449069546dc219ce6a1b58e80e76f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x634D 11148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.