Malicious PDF — malware analysis report

Static analysis result for SHA-256 d81b96df12abe2e1…

MALICIOUS

PDF

35.4 KB Created: 2020-09-04 07:13:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e42c51640fb453877aaa26a1922380ce SHA-1: cec57e420a458898e2c3c88497768ef25fd9f41a SHA-256: d81b96df12abe2e1484608d8239047c7cebc6a26e2b34dc7e5c749da6644acc9
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a malicious redirector link disguised as a download button, aiming to lure users to a malicious site. The PDF also hosts a large number of external links, likely for SEO manipulation to improve the ranking of the malicious redirector. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the exact payload.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=cad+furniture+blocks
    • https://static.usrfiles.com/ugd/957c7b_72ff29a39ed7432f9ca722b3a3b8138c.pdf
    • https://static.usrfiles.com/ugd/3e9e83_c7e7f47f372e422ea38450b72c851f3b.pdf
    • https://static.usrfiles.com/ugd/b8c837_43528278c59f498e8f6ef7ec3e2895a6.pdf
    • https://static.usrfiles.com/ugd/8a419d_f157e0368c7341018159316cc07315f8.pdf
    • https://static.usrfiles.com/ugd/92ee2b_8b540679052d44fcb80ba497fb7b0a0a.pdf
    • https://static.usrfiles.com/ugd/33c377_ebf2b31858644afbb4ccdd97bc47938d.pdf
    • https://static.usrfiles.com/ugd/b8c837_b72b27a34f524b0f8a4beff5cfb824de.pdf
    • https://static.usrfiles.com/ugd/0a593f_9174b2da17324a1f96ebc172ee2f1561.pdf
    • https://static.usrfiles.com/ugd/717a42_eea0b88050e346148a705e73bee6f267.pdf
    • https://static.usrfiles.com/ugd/b8c837_cc094715d9b24a4fb7148df98740b45c.pdf
    • https://static.usrfiles.com/ugd/b8c837_a0e00486f5c64b769699da40d123d8b1.pdf
    • https://static.usrfiles.com/ugd/895bef_6771859b747643c79d96ce5ec3e03d5f.pdf
    • https://static.usrfiles.com/ugd/d9d1f5_b064258ee1b34d3b8a7ff712f7ed2998.pdf
    • https://static.usrfiles.com/ugd/d1c05f_97751e879316458088a90ea889ba5e1b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004ea7.bin
7380f2c1ed4bd90d552acb431d033cecf5acecaaa52115a8ba1085dd87cb46f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4EA7 5124 bytes
font_01_sfnt_off00006020.bin
a26a7034814783068a996e7b3ae319c7a48579763dac71db7fa111b61959fe73		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6020 9660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.