Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2baa95365c0f765…

MALICIOUS

PDF

49.4 KB Created: 2020-09-07 18:00:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 85c2a1defbb22b1a39c025c9c3eb061a SHA-1: 2ebb4e8140c6720d2b8cd9b0029d84af8f1edb2f SHA-256: b2baa95365c0f7656fb299ff7f79096bc5584c7c1d5215d9fa0f46e28c45fd37
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious Link

The PDF contains a malicious redirector link and a large number of external PDF links, suggesting a link farm or SEO poisoning attempt. The document body explicitly instructs the user to copy and paste content into a shell context, which is a common lure for executing malicious commands. The primary malicious URL is a redirector that likely leads to further stages of the attack.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=vb.+net++excel+file+from+url
    • https://cdn.shopify.com/s/files/1/0431/6761/3077/files/pugiwi.pdf
    • https://cdn.shopify.com/s/files/1/0434/9650/5496/files/18523333084.pdf
    • https://cdn.shopify.com/s/files/1/0430/4617/4877/files/nabafizifetesug.pdf
    • https://cdn.shopify.com/s/files/1/0439/2691/3179/files/bansal_classes_chemistry_notes.pdf
    • https://cdn.shopify.com/s/files/1/0431/9569/5266/files/jufodasabovapegupopu.pdf
    • https://cdn.shopify.com/s/files/1/0429/5091/8310/files/93243107074.pdf
    • https://cdn.shopify.com/s/files/1/0431/4166/0826/files/personality_development_and_social_graces.pdf
    • https://cdn.shopify.com/s/files/1/0433/9073/0405/files/timoxoliwi.pdf
    • https://cdn.shopify.com/s/files/1/0430/4296/3613/files/american_beauty_shooting_script.pdf
    • https://cdn.shopify.com/s/files/1/0446/6124/4067/files/how_to_improve_your_english_pronunciation.pdf
    • https://cdn.shopify.com/s/files/1/0462/2771/8293/files/tinoxanobulufa.pdf
    • https://cdn.shopify.com/s/files/1/0461/9704/7447/files/nesix.pdf
    • https://cdn.shopify.com/s/files/1/0433/3414/0072/files/8829093462.pdf
    • https://static.usrfiles.com/ugd/760101_70514b853c3d4d88995f84db29963b6d.pdf
    • https://static.usrfiles.com/ugd/2c76f4_dd40a570eb93493ba3fe906dae5f2ac4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000078e2.bin
5fb2e6d0a559fbfbdcfc4e39f3d859e6a7d665f3148d77f644c4a63ec3128c61		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78E2 4844 bytes
font_01_sfnt_off0000895c.bin
e289b9be4a142f8600d6bec669b5e390ba6c6824adc8cfd5319b10b48ac5d4f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x895C 15180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.