Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2c5329cfade2fa9…

MALICIOUS

PDF

39.4 KB Created: 2020-08-31 12:00:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 73591465be48b6b3767bbc46a5a26bd2 SHA-1: f29839030d2e76e23c9c08a26ee8a3fe263bbbb7 SHA-256: b2c5329cfade2fa91b987682ea04895f4a91dc84f42440301c60377440ee84bc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with a critical heuristic identifying a link to a known malicious redirector. The document body, though partially corrupted, suggests a lure related to a 'work certificate'. The primary malicious IOC is the redirector URL, which is likely used to funnel victims to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=exemplaire+certificat+de+travail+pdf
    • https://static.usrfiles.com/ugd/b8c837_c025833d1d234c23969e4c6b46ed53dd.pdf
    • https://static.usrfiles.com/ugd/0286dd_2e69bb39d38f4984a9be5741ba674f63.pdf
    • https://static.usrfiles.com/ugd/fa32a6_06b5a067db6e474a8ac3bf998fb0ccab.pdf
    • https://cdn.shopify.com/s/files/1/0427/7963/9967/files/lazuwexedog.pdf
    • https://static.usrfiles.com/ugd/b8c837_80390e738f7b4cc19f5fc7b7833ebd44.pdf
    • https://static.usrfiles.com/ugd/55f640_16225c0e88d1430faee8bf171b2352be.pdf
    • https://static.usrfiles.com/ugd/b8c837_b4d8fb8f5c4e45459aabfa5bcd063d47.pdf
    • https://static.usrfiles.com/ugd/a2c2bc_ef20975b7c434742820bd57520f30df8.pdf
    • https://static.usrfiles.com/ugd/09c3c7_fec4b7f62f424fd48ac39b1afe65b08d.pdf
    • https://static.usrfiles.com/ugd/b8c837_bf52e3c9035c4fc5ba97cdc78f330aad.pdf
    • https://static.usrfiles.com/ugd/f65518_afed85ad10124a5085c4cd170d476cdf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ab1.bin
f78bdc9675805445c355563a5fe17ff8fad461380bca051a1ba62120d6b0420d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AB1 5208 bytes
font_01_sfnt_off00006c5c.bin
690e0c9de70460becb9fb2c80c59b25ec221821bb65dbb4f550c337b4e4aff5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C5C 11124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.