Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9629411e6262fac…

MALICIOUS

PDF

44.8 KB Created: 2020-09-04 16:35:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 94eef39c99a79ac990f7de5ca1532c03 SHA-1: e3e229594fdefaa11eb420c8dd39c71e77a62eeb SHA-256: e9629411e6262fac9441ab8dd923e0991f59a49642289bb34dbc10bb1984c4c6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, which points to a URL that appears to be a lure for free PowerPoint templates. This URL is also present in the document body. The file also contains a heuristic for a PDF link farm, suggesting it's part of a larger SEO poisoning campaign. The primary malicious IOC is the redirector URL, which likely leads to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=powerpoint+templates+animated+free++2007
    • https://static.usrfiles.com/ugd/a8cc01_7fea487dfd774291ad200c859ccadaa5.pdf
    • https://static.usrfiles.com/ugd/225520_73523b76e4b342cb85955813ef029961.pdf
    • https://static.usrfiles.com/ugd/a107db_1f0925451f5646b69c1a4f19269c3312.pdf
    • https://cdn.shopify.com/s/files/1/0428/3963/8179/files/gutokukigatisexe.pdf
    • https://cdn.shopify.com/s/files/1/0428/0057/8723/files/jaapos_author_guidelines.pdf
    • https://static.usrfiles.com/ugd/b8c837_06f3629ff1844fcb9a9f43b560af8846.pdf
    • https://static.usrfiles.com/ugd/e4f6f0_9e0d7443b569410799cc2ce95d15e4bc.pdf
    • https://static.usrfiles.com/ugd/145364_eacbbbc54882471fa3e1d732668f290d.pdf
    • https://static.usrfiles.com/ugd/5438e3_058616354dd9478d9144b905d7abb9f7.pdf
    • https://static.usrfiles.com/ugd/66c878_6e39f2e9d0d7494d90c0fbeb71ea0cf3.pdf
    • https://static.usrfiles.com/ugd/10a4aa_ba7d8d5b49f54c2288350b8ccf7d70a9.pdf
    • https://static.usrfiles.com/ugd/6d59ab_267ba6ac29124fbc94b97ac297e97da3.pdf
    • https://static.usrfiles.com/ugd/9df9d6_4e8954a2fcf242799d5344f3011dabcb.pdf
    • https://static.usrfiles.com/ugd/01d500_9b3a2e3c153f4f7a9d7fe49948286ed7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062b6.bin
e475696009c888762d9f2268e3ba0124b87724cad414d3ffbd221255ee172699		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62B6 5424 bytes
font_01_sfnt_off00007516.bin
129b19b17735b2070bd588213d7d74589ea426b40e9bfe332df109e11e08d459		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7516 10820 bytes
font_02_sfnt_off00009810.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9810 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.