Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e2893a4b8929294…

MALICIOUS

PDF

41.6 KB Created: 2020-09-20 23:00:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 599855248660cdc7c9d9982cdbbf092f SHA-1: 00bd967819c8f3d4e6b5a472cb7a9f6d970518eb SHA-256: 9e2893a4b89292948e21406bc8e8d1da7dafde2f3f63eb37d1e07d6c7b986347
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with one URL pointing to a known malicious redirector. The document body, though obfuscated, contains text related to a "handshake problem formula" which likely serves as a lure. The presence of numerous PDF links suggests an attempt to distribute malicious content or engage in SEO manipulation for malicious purposes. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=handshake+problem+formula
    • http://movob.jtkimmusic.com/uploads/1/3/2/8/132814930/edf3f129e.pdf
    • http://files.brookesummers.blog/uploads/1/3/2/3/132302710/c0b0ad7.pdf
    • http://fafimu.midatlanticmotionpictures.com/uploads/1/3/1/4/131406717/4e6505cc4.pdf
    • http://files.miwildlife.org/uploads/1/3/1/1/131164009/bumakosit.pdf
    • http://files.americanfabrications.com/uploads/1/3/2/6/132681885/6585787.pdf
    • https://6dda4ec7-ca1b-4d38-93ee-961fd99cab1b.filesusr.com/ugd/912de2_6134972c0ad943dfb0915f4f0925250d.pdf?index=true
    • https://e5228d48-5cbe-4e47-aa72-d93ef83146af.filesusr.com/ugd/b7082a_26756d593b7e4257b715c38f74bf1390.pdf?index=true
    • https://08ec0d0a-928a-47ca-b9d2-d0fcae17b47a.filesusr.com/ugd/1b0481_c5772e86c2af4334a978f433fd511377.pdf?index=true
    • https://cc6e5cd5-0bdc-4bdc-94e2-7b08094d38b4.filesusr.com/ugd/99b222_1d64cd361060484e991a043a167c903b.pdf?index=true
    • https://5c740b66-4b08-47e0-8ebf-70e9237dba80.filesusr.com/ugd/784815_a437caae2a104222be73407f71036c76.pdf?index=true
    • https://7ac14b1e-26d9-484d-9ac7-4605bedb9060.filesusr.com/ugd/7b00a0_0f19cbd012e441ec8f75a007222b68a0.pdf?index=true
    • https://02006a05-c0a2-41e7-8b9b-d78df0df1a6f.filesusr.com/ugd/3b6424_41f726239bbe49559542aeeb0f01442e.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062e0.bin
a3bfab6c4807caf596878a0d535f51b40d86fd51ab174d480fac08dc5c51385c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62E0 5444 bytes
font_01_sfnt_off00007530.bin
2d9a4a594478a65ddc4a75ad09ef75f9d74d11c8e90a57eb4e6587ba6ee16fce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7530 10828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.