Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5cdb74617ef060b…

MALICIOUS

PDF

41.4 KB Created: 2020-09-06 16:20:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 75691b83304d474afa0cb7fdb91d09cc SHA-1: 6e66ac64dd3f868d52cd5be23e3c7e9b642154ef SHA-256: a5cdb74617ef060b364b6b826c507f555e623e824292d7102913601912cc856f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous embedded links, with one specifically pointing to a known malicious redirector. The heuristic firings indicate that this PDF is part of a link farm designed to direct users to malicious infrastructure. The primary malicious IOC is the redirector URL, which likely serves as a gateway to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=florid+cemento-+osseous+dysplasia+pdf
    • https://static.usrfiles.com/ugd/03ae60_d73402764d2a4269a3a7c08d40d5f628.pdf
    • https://static.usrfiles.com/ugd/70094d_84fd6609d3b045cba7e62b33dd76635b.pdf
    • https://static.usrfiles.com/ugd/b8c837_3ee411929aed468eaa0a2edda25113f1.pdf
    • https://static.usrfiles.com/ugd/03ae60_15f7f2c71c0d43a8bf2bdce58e50bba0.pdf
    • https://static.usrfiles.com/ugd/361f4b_815b1eebaa1e498897b8b90a43fb9724.pdf
    • https://static.usrfiles.com/ugd/b8c837_372cb3dce6f045f28742cc30cd90272f.pdf
    • https://static.usrfiles.com/ugd/2c608b_27b88edd47f54ec2839b5d3e5219929a.pdf
    • https://static.usrfiles.com/ugd/2eedf1_a58e45ef9d6e416a8bf68450b6263dbf.pdf
    • https://static.usrfiles.com/ugd/17beed_36241766d4474d79abab16c3a5687487.pdf
    • https://cdn.shopify.com/s/files/1/0438/6832/4005/files/86119409893.pdf
    • https://cdn.shopify.com/s/files/1/0447/2664/8985/files/pevabomo.pdf
    • https://cdn.shopify.com/s/files/1/0459/6619/6903/files/82621550800.pdf
    • https://static.usrfiles.com/ugd/22bf55_c7d9a429f4584fcb92fe0e95a916deb8.pdf
    • https://static.usrfiles.com/ugd/9e41f0_e0b51971316c4d94b815473af8ea25e2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006467.bin
032ebe4444916fddc82c701ed15725c89ff021a788f9e17a98a58b2c4cdf7470		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6467 5388 bytes
font_01_sfnt_off000076b8.bin
e9a2f00986c85eb767ae71929dc881e3bda4cc2f2adfd38adb04104806cc3dc5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76B8 10008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.