Malicious PDF — malware analysis report

Static analysis result for SHA-256 e35f6cb648331a20…

MALICIOUS

PDF

43.8 KB Created: 2020-09-01 18:54:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8badca96cc360893458f3aca9a6079f4 SHA-1: 64e86d522b3a1f2101c7ae092409252bff4fd4fb SHA-256: e35f6cb648331a20a238d7c8a1d8ff837caa2e6993500f43a6d03e0fe12e97fe
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic identifying a malicious redirector. The document body, though heavily obfuscated, contains text related to 'end user computing spreadsheet controls' and a URL that appears to be a redirector. This suggests the document's primary purpose is to direct users to malicious infrastructure, likely for further exploitation or credential harvesting.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=end+user+computing+spreadsheet+controls
    • https://static.usrfiles.com/ugd/b8c837_8d791ac1433d47b5ae15dd4042e1d47c.pdf
    • https://static.usrfiles.com/ugd/b8c837_0ed2b38c3dc44d06acc5b060760ecce2.pdf
    • https://static.usrfiles.com/ugd/e745be_bf09df7721f2420d860434785f2b3840.pdf
    • https://static.usrfiles.com/ugd/b8c837_6a5f2dd4af0e47188c580170f612d5ce.pdf
    • https://static.usrfiles.com/ugd/d54300_5d3eb5fb69804e638c9848ca1b3c6a0f.pdf
    • https://static.usrfiles.com/ugd/9b5f63_2207dab62c714d37a89db3fefd360884.pdf
    • https://static.usrfiles.com/ugd/625844_68c4990aba714f12b1d488258353706f.pdf
    • https://static.usrfiles.com/ugd/b8c837_8674ca55ab884b7881aba10e2e0f5705.pdf
    • https://static.usrfiles.com/ugd/912de2_b9a31d45fbb5492091cead9c8a511f19.pdf
    • https://static.usrfiles.com/ugd/61b8bf_6d571f6151eb41ce97d974f89b793411.pdf
    • https://static.usrfiles.com/ugd/917232_0f9dca6a9d094f968fc842c4d077ec50.pdf
    • https://cdn.shopify.com/s/files/1/0434/5564/3813/files/wuvaxigetibelazanalolesi.pdf
    • https://cdn.shopify.com/s/files/1/0431/2386/7805/files/kawobefewavotipepa.pdf
    • https://cdn.shopify.com/s/files/1/0434/1910/7480/files/labupijijub.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006cfa.bin
77cdb2c92e53436d94d037e29f6f6bfd8f45d57a98188f3da130f171a5d10a4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CFA 5444 bytes
font_01_sfnt_off00007f53.bin
35be1070547118e0bc0e9a059332deef5cc1555a89154c8c84014635149dbf61		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F53 10308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.