Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5a0dfe5b0aa7a82…

MALICIOUS

PDF

34.4 KB Created: 2020-09-19 01:17:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7a93ceaccdfc6c73557dcf4ff0da99fe SHA-1: de7c37e45bbefbf722630a46bf56b6279ccf7e4e SHA-256: e5a0dfe5b0aa7a82116293a6f38ff494f23e715ff72b288fc8590aa6f7f1ff11
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm and a direct link to a known malicious redirector, indicating a phishing or social engineering attempt. The document body, though heavily obfuscated, contains the URL 'https://ttraff.me/wix?keyword=murray+explorer+go+kart+brake+parts', which is a strong indicator of malicious intent. The presence of multiple embedded links suggests an attempt to distribute further malicious content or to engage in SEO poisoning.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=murray+explorer+go+kart+brake+parts
    • http://mukuvudoj.coastaldogwalkers.co.uk/uploads/1/3/1/8/131872032/9114827.pdf
    • http://zarekafe.gypsydenboutique.com/uploads/1/3/1/4/131437736/sasavalo.pdf
    • http://files.saffrondemenezes.com/uploads/1/3/0/7/130775679/tanedejezoki.pdf
    • http://vodilo.frederickspersiancarpets.com/uploads/1/3/1/4/131405962/2853456.pdf
    • https://75297ae5-e9e3-4f5d-b9f6-1430757dc2a3.filesusr.com/ugd/76b6de_8a7c2d7c042f4fa592fd45a2ab03d0bf.pdf?index=true
    • https://4cbab2b6-d8b6-4f92-aa3f-9966b67744d8.filesusr.com/ugd/01e791_981659e379a343ec92c4050645f18674.pdf?index=true
    • https://56438592-3ddf-4524-9d8c-46b78d14502e.filesusr.com/ugd/3801ff_cd2c87c7d7ba4d0695f02db271abab91.pdf?index=true
    • https://d5176402-93aa-41f5-9bd6-169f06703e23.filesusr.com/ugd/429b25_b43eba1a34654575919ad3d4cd344294.pdf?index=true
    • https://f29f82ae-4f4e-4142-ba3d-9337a1456797.filesusr.com/ugd/d2751c_cebead54ff634cfab37dcc629f45cea4.pdf?index=true
    • https://af8aaa84-a45d-48fe-92e7-bcce40876b10.filesusr.com/ugd/cc03df_f98f538d55c9401d9115b583275f1ffb.pdf?index=true
    • https://33fd1b43-f4ff-43ae-a94c-6b8aca6d6116.filesusr.com/ugd/e2a635_19a5b8dda15549f2ab18eea9727f7866.pdf?index=true
    • https://ff6f4302-7c89-4fd3-bdd5-db0a9c255c88.filesusr.com/ugd/bca722_c3400aa825a84435869a36eb1a2270f1.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000472c.bin
203a661350596c27353bdc95b313227b92ec6f87a9f41ee33e19c8777711f1f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x472C 5368 bytes
font_01_sfnt_off00005991.bin
61f011c6c39ae2a7ac79abe45ccd882192a39e4ce3bfc902ef78288e40369f6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5991 10356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.