Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4e00506de224044…

MALICIOUS

PDF

37.2 KB Created: 2020-09-02 13:08:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6f3014e28e13046e29811f5c70798639 SHA-1: db961da35b7332b0f85e65458d40b80ede1a2296 SHA-256: c4e00506de2240445e028f9ab213f6b31b242f6cad728d613a8d2fbd989ea85c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with one pointing to a known malicious redirector. The document body, though heavily obfuscated, appears to contain text related to 'critical incident reporting policy disability', likely a lure. The primary malicious IOC is the redirector URL, which is designed to lead the user to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=critical+incident+reporting+policy+disability
    • https://static.usrfiles.com/ugd/2f7815_10c756628db24f3c95076615f949a21b.pdf
    • https://static.usrfiles.com/ugd/1e32c2_e187e095fbae49428c26848cc1f1b629.pdf
    • https://static.usrfiles.com/ugd/d93890_b6ddd342235b4e33a7e9b85e67e6b0f5.pdf
    • https://static.usrfiles.com/ugd/10b11f_98de1dba13e74e4483ed2992f1380ba8.pdf
    • https://static.usrfiles.com/ugd/f84671_dbe2b504c7e84e54b8db0f1390bda215.pdf
    • https://static.usrfiles.com/ugd/906e9f_95dc32d1f2f64eb1aac0e7d0057e7ac6.pdf
    • https://static.usrfiles.com/ugd/7041e4_432e09b3999d44fd93157da31f33840d.pdf
    • https://static.usrfiles.com/ugd/1c8c6c_187eec046f2a4294a8d15ec06998e1f4.pdf
    • https://static.usrfiles.com/ugd/b8c837_8dcdd885d9634eddb6749e7c982bfcf0.pdf
    • https://static.usrfiles.com/ugd/d5415a_f47ee908e092449a87f0bb367379fd39.pdf
    • https://static.usrfiles.com/ugd/3aca14_32ed186729c54847a6f4912ea0ed6bb2.pdf
    • https://static.usrfiles.com/ugd/906e9f_bf5d3360db65458fabb7a8c37c7abc33.pdf
    • https://static.usrfiles.com/ugd/bdeb4c_625a9f4493a8412f809cc13bb458cb16.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005552.bin
91e0440cca5aa170300db80d41f7332e0c8e13382a65c8b1d52b94c604522609		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5552 5388 bytes
font_01_sfnt_off000067ae.bin
53c6d0ac901b2626092b2d58dcc88edb677fa057058f61f243ae029e355a11dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67AE 9520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.