Malicious PDF — malware analysis report

Static analysis result for SHA-256 f24fae9ae422aa87…

MALICIOUS

PDF

37.4 KB Created: 2020-08-29 23:38:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5dc29d799c1d483742f627575fa58e4a SHA-1: 9307bbb567c8ba203e688465f095bb6cee9b694d SHA-256: f24fae9ae422aa875b28a4d8740c08e372dbca64d81db78ac772edd65cf4399f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits characteristics of a link farm, embedding a large number of external links, many of which point to PDF documents. One of these links is identified as a malicious redirector. The document body contains garbled text along with the malicious redirector URL and several benign-looking PDF links, suggesting a lure to obscure the malicious intent. No scripts were extracted, and the primary malicious activity appears to be the redirection to a potentially harmful site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=timesplitters+future+perfect+pcsx2
    • https://cdn.shopify.com/s/files/1/0435/0345/2326/files/aptitude_questions_and_answers_for_bank_exams.pdf
    • https://cdn.shopify.com/s/files/1/0438/9568/5288/files/ubuntu_12._04_5_free.pdf
    • https://cdn.shopify.com/s/files/1/0441/4350/9656/files/budgeting_in_accounting.pdf
    • https://static.usrfiles.com/ugd/b8c837_5c21f3a9479542fc966c7fa7896050f6.pdf
    • https://static.usrfiles.com/ugd/b8c837_d988595ce33d4c4998164ba8969ca58f.pdf
    • https://static.usrfiles.com/ugd/b8c837_8a7b79ad55304ee581f461abd5d717e1.pdf
    • https://cdn.shopify.com/s/files/1/0429/4744/4903/files/59644223936.pdf
    • https://cdn.shopify.com/s/files/1/0431/6112/5025/files/ccmb_phd_entrance_exam_question_papers.pdf
    • https://cdn.shopify.com/s/files/1/0429/2981/5711/files/amazfit_bip_english_manual.pdf
    • https://cdn.shopify.com/s/files/1/0429/8535/7463/files/gpu_architecture_book.pdf
    • https://static.usrfiles.com/ugd/b8c837_e17292eb6db1468bb6f5aa040c921649.pdf
    • https://static.usrfiles.com/ugd/c618e9_f5f148351dcb4a3e9e3213d034197555.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005522.bin
e65ffc1ddacd2aff6b352c1b76dd888d2c450b602619ca7a6ff7fc2820246975		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5522 5100 bytes
font_01_sfnt_off0000666e.bin
d1389e1729adac9f37f1db15d2ae91313ea5d0b13c8c0eea7ef2c4d83a479a91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x666E 10068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.