Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1a72d94636a58db…

MALICIOUS

PDF

42.7 KB Created: 2020-08-31 05:39:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 59777defb1ff8d25f0088c1166eae236 SHA-1: 7937eee582ac2279a295944e6975575270e1920e SHA-256: b1a72d94636a58db0ae0c39a3af79a087b53beccd73e45da3ea19d83da24a886
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with one prominent link pointing to a known malicious redirector. The document body, though partially corrupted, contains text related to 'Bvcam for windows' and a URL, suggesting a lure to download or interact with malicious content. The presence of numerous links to static.usrfiles.com indicates a link farm designed to obscure the ultimate destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=bvcam++for+windows
    • https://static.usrfiles.com/ugd/f96b02_d27f7c92a05b445a9cca021c5c9b6a12.pdf
    • https://static.usrfiles.com/ugd/0a052f_864a098f453643959503d61b6c695911.pdf
    • https://static.usrfiles.com/ugd/b8c837_cbde0697eade453e89748eba8e4cc329.pdf
    • https://static.usrfiles.com/ugd/b8c837_61cac3feeb7743d2911af8ce56d9667b.pdf
    • https://static.usrfiles.com/ugd/b8c837_669809b714e941dc9a4afbdb65e5e174.pdf
    • https://static.usrfiles.com/ugd/b8c837_15d5a2bcce5648acb1eb6306d6485cc6.pdf
    • https://static.usrfiles.com/ugd/34e21e_5e67a0b5e7df4d1e8daa777815bb47dc.pdf
    • https://static.usrfiles.com/ugd/b5aed9_7f779dc2b763435ba663ae64d3d1cc7b.pdf
    • https://static.usrfiles.com/ugd/b8c837_cda37eaa1d2243e7ad204dc883723ec4.pdf
    • https://static.usrfiles.com/ugd/b8c837_9b8b240113f84047861855218c3ba26b.pdf
    • https://static.usrfiles.com/ugd/b8c837_a7318f5f86d74ce6b90b071dcefc3fb6.pdf
    • https://static.usrfiles.com/ugd/2e4eb4_d285b1dbf0214e299da62c6c913a736d.pdf
    • https://static.usrfiles.com/ugd/ecec20_7da69dcf898f421eb4f95b89d14d0d89.pdf
    • https://static.usrfiles.com/ugd/b8c837_3662aec4e0c945e5b011eba02bae30d8.pdf
    • https://static.usrfiles.com/ugd/2ca22b_1fbbb430504f4e79a89155a9e977d31f.pdf
    • https://static.usrfiles.com/ugd/b4f0c6_9ff89a5fe30b48eb8079281cef4ce3c3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069d9.bin
eb5d6fd224a6ea42952439ef945bfeac9fbc3b51a11bb6f4b63418b95bd38573		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69D9 5336 bytes
font_01_sfnt_off00007bfc.bin
ebc1a01f260fba19a10f34b2fe6102505516569603c1b2ba7ca9ca4d57d1a648		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BFC 10084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.