Malicious PDF — malware analysis report

Static analysis result for SHA-256 e33db4965abaecfe…

MALICIOUS

PDF

78.5 KB Created: 2020-09-17 09:50:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5c1a0ad2671be2834ca933c80f43da68 SHA-1: 2ed8ce681f283c11f378f29fcec4dea45b97cf13 SHA-256: e33db4965abaecfeca4c47bcb77251f437bd34660c69b4146af05e4fd3830111
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, which points to a URL that appears to be part of a link farm. The document body, though heavily obfuscated, contains text related to 'Illinois pesticide applicator training manual' and the malicious URL itself, suggesting a lure to trick users into clicking the link. The primary malicious IOC is the redirector URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=illinois+pesticide+applicator+training+manual+sp39+pdf
    • https://e526edc7-e340-4824-b419-a4fd8628d333.filesusr.com/ugd/2f8cea_c0a52f5efad84a1ebf6e76b611585b61.pdf?index=true
    • https://5a5c7a59-6384-4e63-956e-6b6f57389910.filesusr.com/ugd/4bb894_d492fe3ea6b14abf848151528d214ebc.pdf?index=true
    • https://0fc65e2e-8c39-4664-8d0f-655e1b46df34.filesusr.com/ugd/7ff653_758bce1bdfb5449aa377a9b27d11aa0e.pdf?index=true
    • https://c135fcd2-29b2-4610-be66-d0b26e6ff0fe.filesusr.com/ugd/882da0_d028ec28340748f5b8c3f7112916a09d.pdf?index=true
    • https://fcac0f54-e774-468e-aee3-aa7f7bf4741f.filesusr.com/ugd/81cd61_3d0f8a7c40f6465494eaba36790acce3.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0429/4246/4166/files/80817054924.pdf
    • https://cdn.shopify.com/s/files/1/0435/2635/7160/files/modelo_de_virginia_henderson.pdf
    • https://cdn.shopify.com/s/files/1/0428/2269/7126/files/wajonuwunetebutevisul.pdf
    • https://cdn.shopify.com/s/files/1/0429/7667/3946/files/zeworijejawegojimadebe.pdf
    • https://cdn.shopify.com/s/files/1/0466/8460/2532/files/walmart_barcode_scanner_app_for_android.pdf
    • https://cdn.shopify.com/s/files/1/0428/7676/4327/files/potazigarireguxa.pdf
    • https://cdn.shopify.com/s/files/1/0432/8508/6374/files/sokavupidu.pdf
    • https://cdn.shopify.com/s/files/1/0431/3242/0262/files/pandoc_markdown_to.pdf
    • https://cdn.shopify.com/s/files/1/0433/2866/7798/files/9643054369.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8aa.bin
d1f0efe8295031460d6e9b77b5633c38eeaaa6d788c384dcf9f2a414843fd6b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8AA 5732 bytes
font_01_sfnt_off0000fc0f.bin
1be8adb51668df08972545458a406586959ececc939345ab6f94bddd617277f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC0F 15500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.