Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc8361c464227818…

MALICIOUS

PDF

39.8 KB Created: 2020-08-30 07:03:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bec00294f79095b9ab68c55e369a3458 SHA-1: e2db5c2e77c6b238a3e2eed9a153e1aaf174c6dc SHA-256: bc8361c464227818b487dc0825c8f3599f1c424adeab181ef05b177e3228fc3e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one pointing to a known malicious redirector. The document body, though partially corrupted, contains the same product keyword as the malicious URL, suggesting a lure. The presence of numerous links to external PDFs, many hosted on static.usrfiles.com, indicates a link farm designed to obscure the malicious destination. No scripts were extracted, but the PDF structure itself facilitates the malicious redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=colchon+triple+lo+monaco+colchones
    • https://static.usrfiles.com/ugd/b8c837_0caf9dcfc96840cc8396062fb021bf47.pdf
    • https://static.usrfiles.com/ugd/b8c837_543db91c33644cff86472327345cd088.pdf
    • https://static.usrfiles.com/ugd/20d83a_7beaf364ff17465e82fa6198e8200519.pdf
    • https://static.usrfiles.com/ugd/5de1df_8cde36f1fdbd4bef9a395d046487e183.pdf
    • https://static.usrfiles.com/ugd/b8c837_022441e0a6994c79b7f1fd4cfe042bb1.pdf
    • https://cdn.shopify.com/s/files/1/0438/7622/1096/files/el_materialismo_racional.pdf
    • https://cdn.shopify.com/s/files/1/0431/6895/6565/files/89508429739.pdf
    • https://cdn.shopify.com/s/files/1/0431/3320/6690/files/18295146402.pdf
    • https://cdn.shopify.com/s/files/1/0430/8343/2096/files/padixuz.pdf
    • https://cdn.shopify.com/s/files/1/0432/1509/3924/files/8190793376.pdf
    • https://static.usrfiles.com/ugd/f46427_0f352c65145342edb23f144b5668d88e.pdf
    • https://static.usrfiles.com/ugd/e33828_0a3fd69536194a108fbf6fbf00333836.pdf
    • https://static.usrfiles.com/ugd/4b68be_763911309eb9470ebd3931c68d6ba942.pdf
    • https://static.usrfiles.com/ugd/a91264_14802b19ee014b07af1827a1b7816b8f.pdf
    • https://static.usrfiles.com/ugd/b8c837_8a11080f724b4a2cb24dc0a40c4d53e4.pdf
    • https://static.usrfiles.com/ugd/79cb75_34b3f741336d4185b115df1117539425.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e2c.bin
929f1164deb8b99f140a335cb20a27546dfe8f4c51bba0440bd91ccc60f06f6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E2C 5076 bytes
font_01_sfnt_off00006f30.bin
4441aa288727b2da841b8658b3726279b995495fd71d1d9db502b25fa7b5f4f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F30 10288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.