Malicious PDF — malware analysis report

Static analysis result for SHA-256 c87852a001c27f96…

MALICIOUS

PDF

39.2 KB Created: 2020-08-30 05:32:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 51993d02e3aeeac8502b886a3204fd87 SHA-1: 0932d9a7586084a9dafc72f9ac7a46f987c0fadf SHA-256: c87852a001c27f9655fd98dab01b44bab83c386c3b69f56f903cd75024789967
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a lure related to updating Android, directing the user to click on a link. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK indicates that the primary link leads to known malicious redirector infrastructure. The PDF_SEO_LINK_FARM heuristic suggests the document is part of a larger campaign to generate traffic through numerous external links, many of which are hosted on static.usrfiles.com. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=aggiornare+android+5.+1+a+7.+0
    • https://static.usrfiles.com/ugd/b8c837_94f3cb67255d4f0c95e1f0f6de6a604c.pdf
    • https://static.usrfiles.com/ugd/40512e_7428708b60e245bab9e05855ce678e0d.pdf
    • https://static.usrfiles.com/ugd/f46427_0d3e190b928b4476bbc0827dc18914d3.pdf
    • https://cdn.shopify.com/s/files/1/0436/4769/7049/files/42856149799.pdf
    • https://static.usrfiles.com/ugd/c0b427_c720ff986d8f40b78f3d684c3955d311.pdf
    • https://static.usrfiles.com/ugd/b8c837_1638111e37bd4c80b3b30bbc8a6ccb82.pdf
    • https://static.usrfiles.com/ugd/9c0842_d2c085253c7e449986584d1837ac6112.pdf
    • https://cdn.shopify.com/s/files/1/0427/5660/4070/files/tavinaxuzababakefuse.pdf
    • https://cdn.shopify.com/s/files/1/0438/3821/0205/files/wukimipup.pdf
    • https://cdn.shopify.com/s/files/1/0461/7361/8329/files/jiwigetirukatigoda.pdf
    • https://cdn.shopify.com/s/files/1/0449/1057/5771/files/converter_para_jpg_ilove.pdf
    • https://cdn.shopify.com/s/files/1/0428/4933/7507/files/16833797597.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005afa.bin
b9cd88b4f8f2ee46ca50c49fe12bc613d0d424431acc1ac3695f9783039ff440		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AFA 5200 bytes
font_01_sfnt_off00006ccc.bin
c44a9bd875828ac7c543d4cd6ce969f12db7b8e5d8f0eca6e7f2d0c2b9b87eee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CCC 10360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.