Malicious PDF — malware analysis report

Static analysis result for SHA-256 d5f6eb39c4a4bff7…

MALICIOUS

PDF

42.6 KB Created: 2020-08-09 07:05:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c2eaa8f8e056a043490a3cd997321f3 SHA-1: 21b3f4f914624385be06763022039fcc3a08eb83 SHA-256: d5f6eb39c4a4bff78ad884ba97a61e2ef3beced9e68248d07c432cd1354c1b23
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a lure for a 'cassation decision' which leads to the malicious URL. The presence of a link farm heuristic further supports the malicious intent of distributing links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=cassation+decision+volume+21+pdf
    • http://files.zackbacak.com/uploads/1/3/1/3/131398134/c9574.pdf
    • http://files.anacmcinerney.com/uploads/1/3/1/8/131871912/1396699.pdf
    • https://cdn.shopify.com/s/files/1/0427/7963/9967/files/gudas.pdf
    • https://cdn.shopify.com/s/files/1/0429/6127/2983/files/xorubavarinoniroxafob.pdf
    • https://cdn.shopify.com/s/files/1/0433/4521/5656/files/girovabawunezaboparurov.pdf
    • https://cdn.shopify.com/s/files/1/0433/0484/5465/files/70199709200.pdf
    • http://tuwujuwu.theraleighwineshop.square.site/uploads/1/3/0/8/130874474/16ae379ab9d9e.pdf
    • https://cdn.shopify.com/s/files/1/0437/7952/2714/files/bigoxepiwotusedemoz.pdf
    • https://cdn.shopify.com/s/files/1/0430/3070/8385/files/sojuvogop.pdf
    • https://cdn.shopify.com/s/files/1/0438/3742/3776/files/19198549363.pdf
    • https://cdn.shopify.com/s/files/1/0430/8893/7120/files/87507149260.pdf
    • https://cdn.shopify.com/s/files/1/0430/8421/8532/files/49143215830.pdf
    • https://cdn.shopify.com/s/files/1/0435/3772/7637/files/83868509930.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000046a0.bin
fb21640f4c278811f699712d19c9f45137fdc1fdfa6a777ec9ebe62cfef61254		 pdf-font-stream PDF embedded font (sfnt) at offset 0x46A0 13756 bytes
font_01_sfnt_off00006b51.bin
50f2ba1623913df5d763c82e81a733cf3a5093cf673a8ef8a4ac78589e69d13b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B51 5356 bytes
font_02_sfnt_off00007d83.bin
c44154a1e8a61b762c2f6d673110c47aaadf3bdfa9a14754e4d2f7e5cb535c3c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D83 9324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.