Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5d697aeddf91db7…

MALICIOUS

PDF

48.1 KB Created: 2020-08-30 10:07:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c138144b1b35899b089ec2bad1716d47 SHA-1: 2bca4a5ab9c0cf71a8b75b1e1f86a95c97ff55cf SHA-256: e5d697aeddf91db7e0e7bda84bad2fe15f2fc361c00668c2002134050cac002d
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the same URL found in the malicious redirector heuristic. The presence of a 'password-protected archive lure' heuristic suggests the PDF itself may not contain the final payload but is intended to trick the user into downloading and decrypting a separate malicious file. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=bravely+default+decrypted
    • https://static.usrfiles.com/ugd/b8c837_fcd4a41a79af447bb24ddede2b7f64e0.pdf
    • https://static.usrfiles.com/ugd/d94ae5_a6b83ec63c034555960b0c34f7a52278.pdf
    • https://static.usrfiles.com/ugd/8b97dd_e721d4c39b8c42e1acbdc92075d798e3.pdf
    • https://static.usrfiles.com/ugd/b8c837_57a055deee8445489e7134244864cbe1.pdf
    • https://static.usrfiles.com/ugd/b8c837_e03fbc2826624aef8dd0d6211dca4743.pdf
    • https://static.usrfiles.com/ugd/136d07_34cc7c3cc9974fa8a4456dcedc587ef7.pdf
    • https://static.usrfiles.com/ugd/b8c837_237d3ab74ea845c88c79e92779e2444f.pdf
    • https://cdn.shopify.com/s/files/1/0438/9902/7611/files/66751910935.pdf
    • https://cdn.shopify.com/s/files/1/0433/3142/0319/files/pdf_libro_caballo_de_troya_9_cana.pdf
    • https://static.usrfiles.com/ugd/122077_01248b372ca2464ab0a6e04db9e0e9ec.pdf
    • https://static.usrfiles.com/ugd/8ab72e_d490f6e49da846dcbde6dae8c1884c75.pdf
    • https://static.usrfiles.com/ugd/3f80ec_66d333a0591e4ba99ad8ac76a46d11bb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060fb.bin
052fc89a565cd2d1a076f4864c6a6e1b45927a2770944ca3b719b2826d2e04c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60FB 5180 bytes
font_01_sfnt_off000072b4.bin
ab7d3e78934e1dee251aadbd741d73a83f311b475479efb782d68a90f4e6940a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72B4 16040 bytes
font_02_sfnt_off00009d54.bin
4954ddec54c61b6acc7eddbac306bc890d05f3afdfcf3ae890c7612da0a7d668		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D54 16376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.