Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb9fbd1b07cf01cf…

MALICIOUS

PDF

39.1 KB Created: 2020-09-02 01:45:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 76a16b03c7617efaaef059ff09ed724f SHA-1: 210daf73b6c621d5294e7b095c9da563fd77d01e SHA-256: cb9fbd1b07cf01cf97603d1a84af465403587de4a5dd7bff7f366bb53bfb63d3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with one link pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL that is likely intended to lure the user to malicious infrastructure. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=flora+agaricina+neerlandica+pdf
    • https://static.usrfiles.com/ugd/2813e2_d8e00f313706458db838ca9ff6210437.pdf
    • https://static.usrfiles.com/ugd/b8c837_75a434bea9084e5ca4fdfe3bb1499848.pdf
    • https://static.usrfiles.com/ugd/80c1db_d07a464535c048da89d5352f49ace1be.pdf
    • https://static.usrfiles.com/ugd/bae363_a0c403445f6940288e34db0f1bcd389e.pdf
    • https://static.usrfiles.com/ugd/b8c837_92074b9a757c491eba549f6adecaa1e6.pdf
    • https://static.usrfiles.com/ugd/be19e1_80b51e1d244e458fb11cf4539beea783.pdf
    • https://static.usrfiles.com/ugd/b8c837_38708ea07c0845c2a202dda7ae14a2e3.pdf
    • https://cdn.shopify.com/s/files/1/0434/2287/5805/files/plano_transversal_del_cuerpo.pdf
    • https://cdn.shopify.com/s/files/1/0431/4572/4055/files/6430864015.pdf
    • https://cdn.shopify.com/s/files/1/0458/6428/8409/files/global_perspectives_individual_report_mark_scheme.pdf
    • https://cdn.shopify.com/s/files/1/0436/4101/2382/files/aspersor_rain_bird_3500.pdf
    • https://cdn.shopify.com/s/files/1/0434/7743/4525/files/vebugiwimi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004ed6.bin
27048779291c466ff3046804b050d2f5a5dd8c4ef7ce51e1543b8ab55307a19b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4ED6 4808 bytes
font_01_sfnt_off00005f2e.bin
24f78c8d8477567f3492c0ebc74e8af91dc56da5098b1913df30ed7e823bbaef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F2E 10000 bytes
font_02_sfnt_off00008151.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8151 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.