Malicious PDF — malware analysis report

Static analysis result for SHA-256 e519d269b88d7719…

MALICIOUS

PDF

34.5 KB Created: 2020-09-07 19:56:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7911cd32841ae0fdb2f9a9ba9d9189d7 SHA-1: 69796ea5bb5d903a0046196526e8e6f7a7f49c29 SHA-256: e519d269b88d7719d90f3b406a779a0455c6f870c161075138a074ba3e78f206
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link and a link farm, indicating a phishing or redirection attempt. The document body, though heavily obfuscated, contains text suggesting it is a report template, likely a lure. The primary malicious IOC is the redirector URL, which is designed to lead users to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=non+chronological+report+template+year+4
    • https://cdn.shopify.com/s/files/1/0434/5259/6374/files/51276059605.pdf
    • https://cdn.shopify.com/s/files/1/0438/6075/4592/files/cfop_method_3x3.pdf
    • https://cdn.shopify.com/s/files/1/0433/9813/5966/files/80362033181.pdf
    • https://cdn.shopify.com/s/files/1/0428/3914/6662/files/ragopa.pdf
    • https://static.usrfiles.com/ugd/63f22d_317064f29c5a471ca989c6460ec14743.pdf
    • https://static.usrfiles.com/ugd/40512e_454cca8d4eb541d1afac9b6f817cb698.pdf
    • https://static.usrfiles.com/ugd/225520_ef44349a9b174ba1a958aa6b9a9bd2f1.pdf
    • https://static.usrfiles.com/ugd/173616_7da1bd5a2d0e4307b23607d1a1dcaf71.pdf
    • https://static.usrfiles.com/ugd/b8c837_5c954b95b6f746faaf3d307c7670caea.pdf
    • https://cdn.shopify.com/s/files/1/0431/7554/2950/files/zabivilapekur.pdf
    • https://cdn.shopify.com/s/files/1/0438/2405/4429/files/fafogixubomebu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/letowopebofowebizuwir.pdf
    • https://cdn.shopify.com/s/files/1/0445/5497/7444/files/prueba_de_oxidasa_y_catalasa.pdf
    • https://cdn.shopify.com/s/files/1/0432/5575/9006/files/android_action_bar_item_background_color.pdf
    • https://static.usrfiles.com/ugd/1b7c00_02e77b4faf0a4eca8e62c6a0f5ebe192.pdf
    • https://static.usrfiles.com/ugd/1decf9_93d583b5672149119b8832ee43f71f9b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000048e0.bin
5223a2a192d7ff3e7db8901178bbdc98ef70c6984f2cddd06068041a819dd98c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48E0 5328 bytes
font_01_sfnt_off00005aee.bin
eba127334d86cdbbb1a0cf7accec0b8c7e2988e54ecd959ab62f041ec41dbd85		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AEE 9868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.