Malicious PDF — malware analysis report

Static analysis result for SHA-256 d2a179f6a5106387…

MALICIOUS

PDF

32.4 KB Created: 2020-08-30 02:19:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 410744daf4355e702509b5c71255d3b6 SHA-1: 91ed2382f6b2db736a51c5912bb6e2658bae6d34 SHA-256: d2a179f6a5106387cb26f7e693bdaa0f21ace2a912b199868d95f1c30fbb828b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, with one critical heuristic identifying it as a PDF SEO link farm. The primary URL points to a redirector that appears to be used for malicious purposes. The document body, though heavily obfuscated, contains the same URL as the primary redirector, suggesting an attempt to lure users into clicking through to external content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=open+channel+flow+henderson+solution+manual
    • https://static.usrfiles.com/ugd/c345b0_eed90b93bf844dea97bcc91a3a61c635.pdf
    • https://static.usrfiles.com/ugd/b8c837_7ae8175f7d8343578c7e89f811b1cad2.pdf
    • https://static.usrfiles.com/ugd/b8c837_de81def0044f4711a94fb8dd501c1da2.pdf
    • https://static.usrfiles.com/ugd/b8c837_f34342e4c6f243d98bcb688bf4e93322.pdf
    • https://cdn.shopify.com/s/files/1/0433/7182/3262/files/fexorut.pdf
    • https://cdn.shopify.com/s/files/1/0436/9186/8313/files/pusiwawug.pdf
    • https://cdn.shopify.com/s/files/1/0430/4420/8797/files/mewamo.pdf
    • https://cdn.shopify.com/s/files/1/0431/3199/4280/files/kegikipukigepipipamawup.pdf
    • https://static.usrfiles.com/ugd/b8c837_e9a5f1c605a6426e87f9e7d95393b706.pdf
    • https://static.usrfiles.com/ugd/b5aed9_1526ab50debf4c52a657da9c28bf57dd.pdf
    • https://static.usrfiles.com/ugd/b6bf5b_b7d0cd7d788842b58ec1bbfbedbdf1a3.pdf
    • https://static.usrfiles.com/ugd/0aab01_76689e10aaab4bf6a6119c71e6a52271.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000422c.bin
ffbcd15816099966a4d798b0f439f407c160f9d5288340d22099498e14d5b9b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x422C 5512 bytes
font_01_sfnt_off000054c7.bin
d9a73addc0a56fb5bd2fbac83ec7ba3a0d0438f44d616d975ca7b7f47684613e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54C7 9368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.