Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5d78bea8c11ce65…

MALICIOUS

PDF

42.6 KB Created: 2020-08-29 19:03:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7bc44a7808b7b1483ef0796dd5c16911 SHA-1: c609bb59594de510e53036755febbcc2512d0f3d SHA-256: c5d78bea8c11ce65a0b3f4cad6c9b4e4469b2572f3ce71cbbd44a6eacc2ccfbd
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF contains a prominent link that directs users to a malicious redirector, disguised as a download for cracked software. The document body explicitly mentions 'download adobe premiere pro cc 2017 full crack fshare', reinforcing the lure. The presence of a PDF link farm and instructions to disable security software further indicate malicious intent.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=download+adobe+premiere+pro+cc+2017+full+crack+fshare
    • https://static.usrfiles.com/ugd/7598fa_e84958353b0a43b8a2c5a2653291ced7.pdf
    • https://static.usrfiles.com/ugd/b8c837_8afbc1d284604938b04773cf9b93acff.pdf
    • https://static.usrfiles.com/ugd/dfb5f8_a98ad2f131ef4ebbafd670f183b9561c.pdf
    • https://static.usrfiles.com/ugd/b8c837_dac3e143529548129b0979515ddd7071.pdf
    • https://static.usrfiles.com/ugd/b8c837_1c3f3a8bef8048498e57e54c2098736e.pdf
    • https://static.usrfiles.com/ugd/b8c837_df04a3c7bfc34e81a87a5fd656363619.pdf
    • https://static.usrfiles.com/ugd/b8c837_38f7c5566bac4346964b40250b055254.pdf
    • https://static.usrfiles.com/ugd/b8c837_00019555e78f499daa8fb10badac18db.pdf
    • https://static.usrfiles.com/ugd/5fd5c1_18a96201a6cf40fa938a4dc32b0b3ff3.pdf
    • https://cdn.shopify.com/s/files/1/0436/7951/4777/files/repair_manual_270962_download.pdf
    • https://cdn.shopify.com/s/files/1/0429/8774/9525/files/vukosipitavesozomo.pdf
    • https://cdn.shopify.com/s/files/1/0427/8072/1311/files/add_and_subtract_fractions_worksheet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064e0.bin
222c380932fc611847640cce5475f9a47ab17f962ccdd62dbc0615b12ad41673		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64E0 6096 bytes
font_01_sfnt_off00007999.bin
9d162cd2a096075b23cbfdb668b8aebea4a281b9156e48474eeaf7f6f93c53eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7999 10420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.