Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4dcf553f663a547…

MALICIOUS

PDF

40.6 KB Created: 2020-09-01 20:13:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 91e55ef3abd8e002ed8a7b594075bbde SHA-1: 8b7d3179911869640f6a74529fc4634c96246ad4 SHA-256: a4dcf553f663a547826e247d941c48b58490c270733442f17652244a796839a5
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059 Command and Scripting Interpreter

The PDF contains a malicious redirector link and a large number of external PDF links, suggesting a link farm for SEO manipulation or to distribute further malicious content. The document body also contains instructions that lure the user into copying and pasting content into a shell, which is a common tactic to trick users into executing commands that download and run secondary payloads. No scripts were extracted, but the combination of the malicious link and the command execution lure strongly indicates a malicious intent.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=pure+white+background+images
    • https://static.usrfiles.com/ugd/b8c837_767516d29e734ebca158c269edd07f9c.pdf
    • https://static.usrfiles.com/ugd/affb4a_5367510667ab490aa9f612485dcb22b2.pdf
    • https://static.usrfiles.com/ugd/e3ff21_f1b65203cee047c5ad5418aded495b91.pdf
    • https://static.usrfiles.com/ugd/b8c837_8195b199f5f944f8bde9ad8f53cfa088.pdf
    • https://static.usrfiles.com/ugd/0a0016_96c65afa6a754de08450e6a9e5afaff1.pdf
    • https://cdn.shopify.com/s/files/1/0464/7596/8662/files/tapvpn_free_vpn_apkpure.pdf
    • https://cdn.shopify.com/s/files/1/0432/9717/7768/files/9672550522.pdf
    • https://cdn.shopify.com/s/files/1/0430/9650/6521/files/paverex.pdf
    • https://cdn.shopify.com/s/files/1/0431/3320/6682/files/59029174429.pdf
    • https://cdn.shopify.com/s/files/1/0434/4053/7750/files/epf_claim_status_form_10c.pdf
    • https://cdn.shopify.com/s/files/1/0463/2500/6497/files/xefikufuk.pdf
    • https://static.usrfiles.com/ugd/b8c837_847600236a9d42ee85982da61d0b7367.pdf
    • https://static.usrfiles.com/ugd/87b9a8_68ca87f8d39b449bbd850cecf8cd95f2.pdf
    • https://static.usrfiles.com/ugd/575363_05d1dddded5e419f8c063ed6be6306d8.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006123.bin
046cefa19b14fcd567a161886cdab3965878361825cccf39bcce7ed04e1f5de7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6123 5616 bytes
font_01_sfnt_off0000741e.bin
dc445691b78303af5f221045279c1a47084ace30443006817489123413fe5ac0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x741E 9844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.