Malicious PDF — malware analysis report

Static analysis result for SHA-256 e2e3976888835c3a…

MALICIOUS

PDF

40.6 KB Created: 2020-09-01 23:32:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8a21f4767bd74f5dcea421fefe31d65c SHA-1: f3e002fa8dd8bb734e380330e89d61422d6a5432 SHA-256: e2e3976888835c3aa2ac8f38db9f7d511c57452166d3fe40a4358886973fefa7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass of external links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the same malicious URL, suggesting an attempt to drive traffic to malicious infrastructure. The file was generated by wkhtmltopdf, a tool often used to create SEO-optimized content, which in this case appears to be a link farm for malicious purposes.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=dependency+injection+android+activity
    • https://static.usrfiles.com/ugd/2b98a3_0a1b870c26014700a25f2ecce7c9f589.pdf
    • https://static.usrfiles.com/ugd/7198c1_bd59c5f9d96241078ef3800be770e8f6.pdf
    • https://static.usrfiles.com/ugd/b8c837_29d3032025114b37a63b1c20dcdd4ee5.pdf
    • https://static.usrfiles.com/ugd/1cc7e8_c0cbb127c82643768dc63ee3da98b220.pdf
    • https://static.usrfiles.com/ugd/b8c837_bb27de6cef0b4598afe0d75b800c6143.pdf
    • https://static.usrfiles.com/ugd/b8c837_685f764df56043f5906e98e4183beb37.pdf
    • https://static.usrfiles.com/ugd/db1da1_870f2c850fc74228ad2aa8efaf2080ff.pdf
    • https://static.usrfiles.com/ugd/b8c837_c21f99e7162d4716ba4de2ede43cec1f.pdf
    • https://static.usrfiles.com/ugd/b8c837_873c5bcb872f453aa82775c0e5a284a8.pdf
    • https://static.usrfiles.com/ugd/b8c837_286d42d3721b4a818ad156a9620b876c.pdf
    • https://cdn.shopify.com/s/files/1/0434/6655/5556/files/litigants_in_person_guidelines_family_court.pdf
    • https://cdn.shopify.com/s/files/1/0439/3422/0456/files/69649437115.pdf
    • https://cdn.shopify.com/s/files/1/0434/1373/3533/files/jivif.pdf
    • https://static.usrfiles.com/ugd/353d00_bcb3e50784ea4745b23835b7ecfa68ac.pdf
    • https://static.usrfiles.com/ugd/b8c837_c84bc509c82e4486b3a31c1d0b4ac0c6.pdf
    • https://static.usrfiles.com/ugd/b8c837_03d86b7417ca4d8ea362872ef1700ea5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ed2.bin
fc3efbcc25c2c1a1567f8e5ae89aaa9e610673671301e686980c71ac9c5de7ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5ED2 5096 bytes
font_01_sfnt_off00007049.bin
9d4137c2316a51f601c0ebf4a1a5d4458beaa6fee6dacc19768d2fb57d7ebe3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7049 11364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.