Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5622650f0975c2d…

MALICIOUS

PDF

39.8 KB Created: 2020-09-03 21:23:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 65b6697c76d007c076e4ad754e4a0ee2 SHA-1: 306a511598937b737a40bcda6e1d1be7bb4822ea SHA-256: b5622650f0975c2db4368d0f10b81f0949745d8ce093c68195e588252d85a47b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to a known malicious URL. Additionally, the PDF_SEO_LINK_FARM heuristic indicates the presence of numerous external links, likely intended to obscure the malicious redirector. The document body, though heavily obfuscated, contains the malicious URL and several benign-looking URLs, suggesting a lure to a malicious site disguised as a resource page.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=interactive+labs+demographics+lab+answers
    • https://static.usrfiles.com/ugd/7598fa_9cb8814bc15d4e949be33a13bbc1c493.pdf
    • https://static.usrfiles.com/ugd/5de1df_a4111c027dfd4c7b9558e144f8f8f5d3.pdf
    • https://static.usrfiles.com/ugd/9904c2_3bdba66da0574c3b9cde2f7ea3557ef8.pdf
    • https://static.usrfiles.com/ugd/1e32c2_f8e767daf15d4e47a0505169395918a8.pdf
    • https://static.usrfiles.com/ugd/6f5f23_1252964938484d61a797510c4ab9dfc2.pdf
    • https://static.usrfiles.com/ugd/50de67_88b4dc861c784e0e95902ba036d998f4.pdf
    • https://cdn.shopify.com/s/files/1/0428/6640/9638/files/solidworks_surface_tutorials.pdf
    • https://cdn.shopify.com/s/files/1/0428/1594/6911/files/xusebibivelezanur.pdf
    • https://cdn.shopify.com/s/files/1/0431/1485/6610/files/ain_t_misbehavin_chords.pdf
    • https://cdn.shopify.com/s/files/1/0437/0527/0427/files/pacman_classic_arcade_game.pdf
    • https://cdn.shopify.com/s/files/1/0463/2166/4160/files/nuvozixorogimiz.pdf
    • https://static.usrfiles.com/ugd/a44510_911cfd6db0d84e289c7270488beb959b.pdf
    • https://static.usrfiles.com/ugd/9e41f0_d4f28eeaab864d7388ecd3356f6538f5.pdf
    • https://static.usrfiles.com/ugd/b444d4_372c276dee724fa2bd93f83407eebd95.pdf
    • https://static.usrfiles.com/ugd/0aab01_aedeaf53e4074981aab4102456b4956a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005bf5.bin
584211ed5dc7bae9d1091e9e6771248f24413760c2283441f68c2adc99ba46fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BF5 5716 bytes
font_01_sfnt_off00006f44.bin
ef141d27ff18b4d3d18429072b6fe26cf11a8a7d7119d974431c66fca2bf30ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F44 10256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.