Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd15b450e5b97d68…

MALICIOUS

PDF

50.5 KB Created: 2020-08-31 10:40:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7686d86bd0fc83c0c25955aa92dc8800 SHA-1: 81ae3ee2ac0d3cd9da64005f8ca7742bbac9bbd4 SHA-256: bd15b450e5b97d68a8f730a4e027ff9432445fa3299a2dcf862205b2cf8f146a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a lure related to 'daily use word meaning in hindi pdf' and embeds a link that redirects to a known malicious domain. This indicates a phishing or social engineering attack aiming to redirect users to harmful content. The PDF also contains a large number of external links, many of which point to static.usrfiles.com, suggesting a link farm or redirection strategy. No scripts were extracted, limiting the analysis of further payload delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=daily+use+word+meaning+in+hindi+pdf
    • https://static.usrfiles.com/ugd/b8c837_4ad074537707482d9ef2dda3d167778b.pdf
    • https://static.usrfiles.com/ugd/2274a7_cba44425e6ea42bab7d7f0342821ed37.pdf
    • https://static.usrfiles.com/ugd/865d50_eae699c29a44485690fd326ec1847703.pdf
    • https://static.usrfiles.com/ugd/d5415a_795e802b8dee4696bc58a309b6753c78.pdf
    • https://static.usrfiles.com/ugd/0e9fc2_0c113bee805246ae9706c7ae650377aa.pdf
    • https://static.usrfiles.com/ugd/0dcf4b_18659aad99bf43dfa6088cd5cdafaba5.pdf
    • https://static.usrfiles.com/ugd/9e41f0_c0b74316eddd4d84b758a5193cba9bcc.pdf
    • https://cdn.shopify.com/s/files/1/0432/7673/0533/files/gegop.pdf
    • https://cdn.shopify.com/s/files/1/0438/9984/6824/files/understanding_business.pdf
    • https://cdn.shopify.com/s/files/1/0433/5131/0488/files/pizajorodebe.pdf
    • https://cdn.shopify.com/s/files/1/0430/6996/4439/files/gufolabajumavajewamovoviw.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00008ef2.bin
8882888933a50e74b63815cc562b294b5ea2d012b6cfbdad1ef94f0940b84e00		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8EF2 26440 bytes
font_00_sfnt_off0000597f.bin
719431fbb3d615a2d6d3245dfae6d131510796f4966bddf6d90280e47c6f3df7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x597F 5648 bytes
font_01_sfnt_off00006ca0.bin
0fca49056d18df77b4df7751b945b6a2747e08d73e32cb08f999445ab4196942		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CA0 10040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.