Malicious PDF — malware analysis report

Static analysis result for SHA-256 e59ea4e47421278d…

MALICIOUS

PDF

55.5 KB Created: 2020-09-01 17:46:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 46249af9fd2ec328585f98fee68e9983 SHA-1: 8fa8a99f9d38c91417d56f96464ea6ec4ea8b603 SHA-256: e59ea4e47421278d424d381271f9e6f6340afb06c2f287026397c9e7617c101a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with at least one pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL for the redirector. This suggests the primary purpose is to lure users to malicious sites. The presence of a link farm further supports this, indicating an attempt to broaden the reach of the malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=nicotine+patch+dosing+guidelines
    • https://static.usrfiles.com/ugd/529dbf_457be07a21414f27885779507cc780b3.pdf
    • https://static.usrfiles.com/ugd/50de67_20358d957a334b8e8c7a0b90249d64d2.pdf
    • https://static.usrfiles.com/ugd/de3d83_ac49af9eb1314e388eb8da0fa1bce15f.pdf
    • https://cdn.shopify.com/s/files/1/0433/6068/2139/files/bosquejos_para_predicar_a_nios_cristianos.pdf
    • https://cdn.shopify.com/s/files/1/0431/2170/5124/files/reinforcement_learning_sutton_2018.pdf
    • https://cdn.shopify.com/s/files/1/0430/5358/0441/files/ratekitoguzebipa.pdf
    • https://cdn.shopify.com/s/files/1/0432/5166/3012/files/85535876014.pdf
    • https://cdn.shopify.com/s/files/1/0440/2990/2998/files/understanding_earth_7th_edition_answ.pdf
    • https://static.usrfiles.com/ugd/b8c837_c2073b104cc74ced9fdaba9c8dc72939.pdf
    • https://static.usrfiles.com/ugd/3794ad_31c1b8839c2945be9f06286bbbc63786.pdf
    • https://static.usrfiles.com/ugd/b8c837_528317447e284e2898b0305cc4846d9f.pdf
    • https://static.usrfiles.com/ugd/0047a4_2864d890bb1e409da75090cdb431fd68.pdf
    • https://static.usrfiles.com/ugd/e80f4c_feffe02abb5b48ebbb165352db3b8a7e.pdf
    • https://static.usrfiles.com/ugd/9ea9b6_ac032403377b4d7e9d559a465c17f956.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009ac9.bin
cb94b5a8b0396a0b4c62fd5ec4099449899cdb638fe62f75050eaf0b56698bdb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9AC9 5208 bytes
font_01_sfnt_off0000ac83.bin
392ae04f1dec580959bf4a2459abe6caecabdb1eb1f8a50d3ed550573a8a484b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAC83 10752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.