Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1b529af535d5880…

MALICIOUS

PDF

35.5 KB Created: 2020-09-09 08:11:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 69554902330622081e4131795d99805b SHA-1: d5cb50fcff892e12375fa61a33715c8bba53486c SHA-256: b1b529af535d5880977f982939df7ea71972fdc7151a9e1422ccd122ef8a47f9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous links, masquerading as an annual report, to a redirector URL. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK indicates that the primary link leads to known malicious infrastructure. The PDF_SEO_LINK_FARM heuristic suggests a large number of external links were embedded, likely to improve search engine ranking for malicious content or to distribute the malicious payload across multiple benign-looking domains.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=krisenergy+annual+report+2015
    • https://static.usrfiles.com/ugd/5360f8_670e924bdf124f628603a99536c2e2c8.pdf
    • https://static.usrfiles.com/ugd/58a813_04774e5ae6624e8bbb2e10156ff2182a.pdf
    • https://static.usrfiles.com/ugd/2a1429_81a2f0441a1342898e27c7b24a1eb319.pdf
    • https://static.usrfiles.com/ugd/b50c55_d02cfaee4fba4c92adc4a3626b09f805.pdf
    • https://static.usrfiles.com/ugd/eda9ba_7ab11a9900114b0887bdbb0560d24836.pdf
    • https://static.usrfiles.com/ugd/24853a_99c6df76c2554ed694b6c044414954e5.pdf
    • https://static.usrfiles.com/ugd/77eba6_37e1c4b810324c93bc236ef564b7a56f.pdf
    • https://static.usrfiles.com/ugd/a4ea6c_51dccbbcf7694642b349e23e1999c3ad.pdf
    • https://static.usrfiles.com/ugd/1b7c00_798d3f968b29475a984384d7b590f063.pdf
    • https://static.usrfiles.com/ugd/3de8a6_e0a1759f7e254dac896f8244379c2396.pdf
    • https://static.usrfiles.com/ugd/e78b77_ebaec32bfa9440689caaec95ea66de57.pdf
    • https://static.usrfiles.com/ugd/b8c837_752b1aaa1f574dcb93a3fbfb7c4d109f.pdf
    • https://static.usrfiles.com/ugd/b27199_4abf452c6f964eb0a5ef6fb6f5c432ae.pdf
    • https://static.usrfiles.com/ugd/aef5b7_d8ad23d092564166a31765aaeff11e55.pdf
    • https://static.usrfiles.com/ugd/ea2c45_9660cc890c1149e2b30a1598a67e5510.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a47.bin
62ac476e24c092c28fc76458114b57963cc78cbfde7e2e0c53ba6e725f034164		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A47 5508 bytes
font_01_sfnt_off00005d2a.bin
72bbc4f2505b330ded63b2a34b957561caba6c70fa161697bbf4795f7b276ca1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D2A 10608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.