Malicious PDF — malware analysis report

Static analysis result for SHA-256 c681f24f215df95e…

MALICIOUS

PDF

37.7 KB Created: 2020-08-30 02:50:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 773ab72e6c86d3d82ac14ee53b2977c1 SHA-1: 60a74b93725234d588fd31201dc5a2f65f1175d7 SHA-256: c681f24f215df95e76498beb08d6e42363a44cb254a53b701db459bfc8b69b0a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, which points to a URL that appears to be part of a product listing lure. The document body, though heavily garbled, contains fragments that suggest product information and the malicious URL itself. The PDF also contains a large number of embedded links, many of which point to a domain that hosts numerous other PDFs, indicating a potential link farm or SEO manipulation tactic to distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=braun+brewsense+drip+coffee+maker
    • https://static.usrfiles.com/ugd/b8c837_78649abb3d80431f8a9bf0224a081a4f.pdf
    • https://static.usrfiles.com/ugd/b8c837_d67cc1a50274440aa9e2f9275bacda63.pdf
    • https://static.usrfiles.com/ugd/b8c837_b3c91d1cdd20489fab72408da3a639f5.pdf
    • https://static.usrfiles.com/ugd/d1d005_e4646ca8ff0445fe8cb20542e5da0b9c.pdf
    • https://static.usrfiles.com/ugd/af0aa9_8f2e41b7ed6b4cd79935681b2b95541e.pdf
    • https://static.usrfiles.com/ugd/6846fe_2bf577affa6c478e828dd44892d49680.pdf
    • https://static.usrfiles.com/ugd/b8c837_6d956ce77f8b44fa80c665f0e1b82399.pdf
    • https://static.usrfiles.com/ugd/173616_cb0c949cef6d485aa6435ac11a89fa9e.pdf
    • https://static.usrfiles.com/ugd/b42fd6_283eee7843c94d998aa6b1a88addaec9.pdf
    • https://static.usrfiles.com/ugd/5ecadc_75ac32e387944dcaac7a23c226578da9.pdf
    • https://static.usrfiles.com/ugd/b8c837_fca9b70c27e743ee82280ac60cf0ac31.pdf
    • https://static.usrfiles.com/ugd/451461_aa03acf3df4743bca1994690def8495b.pdf
    • https://static.usrfiles.com/ugd/fd3290_8123d6c303e74fe1a0b96f38e374c254.pdf
    • https://static.usrfiles.com/ugd/b8c837_1845900f8f6c4f749ea740a21fd36569.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000543c.bin
36f13384f297ce0c3397e15f858e18eabe32ca56f2bbb1dce0a2c2ef2c1b61b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x543C 5612 bytes
font_01_sfnt_off00006747.bin
101d1280a852a998e8cc27f1753ee816262934dd1cb2841bfde270068f761e9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6747 10152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.