Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae949d2e45213c67…

MALICIOUS

PDF

64.3 KB Created: 2020-09-18 20:29:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5288d80b7081b9e94dbc193a89ac0de9 SHA-1: e4b93c1bed44b2e2f7746ad44bbdf4a1371e1ea0 SHA-256: ae949d2e45213c67f69bd760945c9ed0f5727b42924cec79ccd1854e1bced731
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link and a link farm, indicating an attempt to direct users to harmful content. The document body, though heavily obfuscated, contains the malicious URL and other URLs that appear to be part of a link farm. The heuristic firings confirm the presence of a malicious redirector and a link farm, suggesting the primary goal is to lead the user to a malicious site. The 'SE_CALLBACK_LURE' heuristic suggests a potential callback phishing or tech-support scam pretext.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=zipspin+dvd+duplicator+manual
    • http://files.beevoice.net/uploads/1/3/1/4/131437823/82f6640bb27899.pdf
    • http://files.shanemorganart.com/uploads/1/3/2/7/132740375/wawuretuvolabo-zufinebawor-mikuv-nigufedutoludij.pdf
    • http://files.recrates.co/uploads/1/3/2/6/132682868/e0dcb9d.pdf
    • http://files.glassbynanc.com/uploads/1/3/2/6/132696104/zowatiroz_nabazogugowol.pdf
    • http://files.someday-l.com/uploads/1/3/0/7/130738850/ba78a.pdf
    • https://cc1fef2c-e45b-4c57-be01-c6ec839808a0.filesusr.com/ugd/17ce20_d1499a6abcbf40abb43c7a8c4c1b0e0e.pdf?index=true
    • https://99b8bf6f-464f-4a9e-88c2-485a34849566.filesusr.com/ugd/565485_b5967789b5e6432fbe5da2316589df23.pdf?index=true
    • https://95bd0e37-769f-41cf-8e1d-03e61cc6a0fa.filesusr.com/ugd/eb2f7d_3c8efa205f734bd691afb53cfdc5c2a3.pdf?index=true
    • https://e02d3365-1845-4298-88d8-2638152865ff.filesusr.com/ugd/f35da0_caf5e3373eb6494fad6b40137886519d.pdf?index=true
    • https://7a076f62-b72d-47cf-9662-e44c47696eed.filesusr.com/ugd/f9d4cd_695f05ddc8184c0d87e9b0a75be5ec2b.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0438/0377/1041/files/ccc_online_test_50_question_with_answer.pdf
    • https://cdn.shopify.com/s/files/1/0430/8025/3593/files/pepivileguma.pdf
    • https://cdn.shopify.com/s/files/1/0431/1059/6765/files/kuzogafalowomenezupedizin.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009585.bin
e71ccd8714cb4ed6158c33e0c6c4cc049fbea6813fedbd2fa3671fc243bf9c70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9585 4176 bytes
font_01_sfnt_off0000a44e.bin
70df1c21aac7add74fa428bb60ae7266c734385a4b0eb4cc409237eb590be091		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA44E 5000 bytes
font_02_sfnt_off0000b529.bin
94adbd615538b01902a19abbac271c5968628e05b09d27518795f9bd812cf116		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB529 15928 bytes
font_03_sfnt_off0000e617.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE617 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.