Malicious PDF — malware analysis report

Static analysis result for SHA-256 babd79d59681530c…

MALICIOUS

PDF

49.6 KB Created: 2020-09-17 15:38:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 59a59d676d7e1a8f51d9afe796e30dee SHA-1: 0736fb3f551b932354e078543d3d26d63fc59930 SHA-256: babd79d59681530c58f9bb02f74b23ffc9266845864cf822db8b161840a0622c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of embedded links, many of which point to a link farm designed for SEO manipulation. One prominent URL, 'https://ttraff.club/wix?keyword=frog+dissection+crossword+answers', is flagged as a malicious redirector. The document body, though heavily obfuscated, contains references to the crossword and the malicious URL, suggesting a lure to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=frog+dissection+crossword+answers
    • http://pogej.glorifiedbodiesfitness.com/uploads/1/3/2/6/132681352/fibepup-baxuloxifu-zovol.pdf
    • http://files.catherinecarterphotography.co.uk/uploads/1/3/1/4/131405977/selikivutanu.pdf
    • http://nujusunil.cameronhorn.com/uploads/1/3/0/8/130813765/1863730.pdf
    • http://vekefoti.janeincolour.com/uploads/1/3/1/3/131383657/movovinabijevijekumi.pdf
    • http://files.laneanimalhosp.com/uploads/1/3/0/7/130776022/mevifesemixuto_lufaw_kawolig_maxudimuve.pdf
    • https://5ee27760-8c7f-4f77-ab63-a58ae4b5e506.filesusr.com/ugd/6c313a_9c68767a379b4af5865d2a0e57cd0554.pdf?index=true
    • https://1ed428b8-c3d1-4599-b36f-877b2a0808a7.filesusr.com/ugd/6c313a_d45e443f26c44e57a03425adfed20817.pdf?index=true
    • https://54a0d891-459b-4a14-82b5-efcfd22b950e.filesusr.com/ugd/974a4e_93282fd6a596434cba2f4cd3c81569ae.pdf?index=true
    • https://e131ce0b-b895-4326-89ce-cf04a48595df.filesusr.com/ugd/97aff7_ea977ad4786a46b3aef15c643d2cc0fe.pdf?index=true
    • https://961fc901-d3de-49a8-b9b8-1799a0ea4e3d.filesusr.com/ugd/c12414_e4639b6b62d941d288370a90136b1258.pdf?index=true
    • https://4ed71e82-d6af-418f-b26e-93b33ee1e9d3.filesusr.com/ugd/f1c748_1aa3e79ebc0b46d9b044132a2ecf2770.pdf?index=true
    • https://2ec68e07-d77a-4e0b-9ffb-4922b0583031.filesusr.com/ugd/3bca44_f4b14be16fe5422a9fa0e5f685b2d6cd.pdf?index=true
    • https://6b90c113-b5a0-404f-a841-fef5bef3844a.filesusr.com/ugd/2486b5_92dff9a297074874af28be809e5200ef.pdf?index=true
    • https://ac473c8f-0523-4225-8a6b-855c9fcf3149.filesusr.com/ugd/b14caa_1accf21a7db54c10b76a2394348283e6.pdf?index=true
    • https://445dcb2e-18b1-4806-9cc3-56a473b492a2.filesusr.com/ugd/8da65f_236f9fb505cd45bea573b9d4a3133e30.pdf?index=true
    • https://b6d4ee1f-4fc8-40d5-9fbc-8a330875687c.filesusr.com/ugd/01e791_c9b78b046e5547b3bbc639abab4c8970.pdf?index=true
    • https://1ef5866f-e4d3-4e2a-a0e0-b5612c925d5b.filesusr.com/ugd/2994dd_8a210a73aba44260bbbd47f1373b0079.pdf?index=true
    • https://d36e25a7-f961-4408-b850-f72b896ebf7a.filesusr.com/ugd/40512e_a65888f3f26b4896a6ab81e54ce9fbd9.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000076bb.bin
c6e960422d692de58070f055a624217f9e4fd37b5759e190a1feebff4d58e81c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76BB 4908 bytes
font_01_sfnt_off0000878a.bin
edf87683f941b1fc9988bee12ee9abbe3d68940064aa4c4dfbdd3a5548483e06		 pdf-font-stream PDF embedded font (sfnt) at offset 0x878A 10364 bytes
font_02_sfnt_off0000aaf9.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAAF9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.