Malicious PDF — malware analysis report

Static analysis result for SHA-256 c11cff1576e3e51d…

MALICIOUS

PDF

33.7 KB Created: 2020-08-30 08:44:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8132962bf737fc4fbad17d095988a002 SHA-1: a2232e77796291890bdfcc582fb63563a9c67071 SHA-256: c11cff1576e3e51df0e131180d10bb344a26513bbc762d33334f1c4403842000
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link. The document body, though heavily obfuscated, contains the same URL. This URL likely leads to a phishing or malware distribution site. The presence of numerous external PDF links, while many are benign, suggests a link farm or SEO poisoning tactic to obscure the malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=cbp+minneapolis+hiring+center+email
    • https://static.usrfiles.com/ugd/74e905_a498ea7dd3274432aeee408daa4cc81a.pdf
    • https://static.usrfiles.com/ugd/0c4177_e40908e906034c5d80fe666c5a3ba66e.pdf
    • https://static.usrfiles.com/ugd/cfa91a_a1d613e2ce554527951b07b6da95dbbf.pdf
    • https://cdn.shopify.com/s/files/1/0437/2532/4439/files/aboriginal_flag_template.pdf
    • https://cdn.shopify.com/s/files/1/0437/6051/7274/files/tumor_basocelular.pdf
    • https://cdn.shopify.com/s/files/1/0428/3524/7271/files/install_motioninjoy_driver_fail.pdf
    • https://cdn.shopify.com/s/files/1/0436/8531/4715/files/tusip.pdf
    • https://cdn.shopify.com/s/files/1/0436/4235/5865/files/jurnal_bblr_terbaru.pdf
    • https://static.usrfiles.com/ugd/b8c837_e21ac01d42b1456f88727182eb37006b.pdf
    • https://static.usrfiles.com/ugd/b8c837_4f4d09b9fea84cd1b14c3408aa13144d.pdf
    • https://static.usrfiles.com/ugd/b8c837_b5cfaea357d74801a4863968279feb0a.pdf
    • https://static.usrfiles.com/ugd/4bb894_6a3b5bfb45124f11951fbdbb8876ab54.pdf
    • https://cdn.shopify.com/s/files/1/0436/5503/7078/files/54333109033.pdf
    • https://cdn.shopify.com/s/files/1/0434/6275/4461/files/anatomy_of_the_spirit_by_caroline_myss_free.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000044f4.bin
2cd00bf3341c0275085a47f7812aac6272928c187742b02dbd1ffacffdfb4c52		 pdf-font-stream PDF embedded font (sfnt) at offset 0x44F4 5392 bytes
font_01_sfnt_off00005710.bin
528a7e603aeeac397e119a608494ebbdae547d96ebe534a53fc8aab2e9f8be13		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5710 10200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.