Malicious PDF — malware analysis report

Static analysis result for SHA-256 f3a789ae6ec9be32…

MALICIOUS

PDF

43.4 KB Created: 2020-09-16 14:51:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c442b302fab6808030bd38bd387bbb4 SHA-1: 28bb0642321a53441b1572c9f2564d351c7fb4a1 SHA-256: f3a789ae6ec9be32137bf165b318f8c24a8bc2df574b2c83e4a72e5cd1c0da09
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as a login prompt, aiming to trick users into clicking it. The document also exhibits characteristics of a password-protected archive lure and a callback phishing lure, suggesting a multi-stage attack. The presence of numerous external PDF links further indicates a link farm or SEO poisoning attempt to distribute the malicious content.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=bt+yahoo+login
    • http://garodi.paradisepetportraits.com/uploads/1/3/0/7/130775584/vuguve.pdf
    • http://files.hearing-aids-bozeman-mt.com/uploads/1/3/1/3/131380341/3014888.pdf
    • http://files.julianbullmagic.com/uploads/1/3/2/8/132816195/8366476.pdf
    • https://e8b9e297-8d6a-43bd-97ca-3ba1510d9917.filesusr.com/ugd/8e6e76_5062e0e41c164dce9f923dda8200e9f1.pdf?index=true
    • https://5becebd8-418b-4bda-ac5e-e558b111ce3e.filesusr.com/ugd/f08e01_a58cf9bc7935418a86c4590a80e709d6.pdf?index=true
    • https://b9c03409-4293-4929-8509-3c006d319c5f.filesusr.com/ugd/ced2dc_639e2347d6a34c5cb14a5252967a550c.pdf?index=true
    • https://91495a34-91b2-4a8f-9d3d-0a781b33ba00.filesusr.com/ugd/4b874d_5c9816ea9a51406a9c5372efc6b804fd.pdf?index=true
    • https://7d1c7e8f-3369-4c60-9865-e740fdaade51.filesusr.com/ugd/7be1cd_49876b9de01349c9b49636a6099e77a7.pdf?index=true
    • https://5a839022-31d0-4245-a2bf-0d711586f379.filesusr.com/ugd/622218_4906bda96fbd40b7ae9e8bf3120fc28b.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0430/8333/3785/files/vumilumerosufekete.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/nowivozepax.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/74133662670.pdf
    • https://cdn.shopify.com/s/files/1/0432/3780/2146/files/cambridge_book_8_test_2_listening_answers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://e8b9e297-8d6a-43bd-97ca-3ba1510d9917.filesusr.com/ugd/8e6e76_5062e0e41c164dce9f923dda8200e9f1.pdf?index=

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006157.bin
97a3b656746f42eab8efab86280762ba412905d859925aad2edc452d732a83bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6157 4496 bytes
font_01_sfnt_off0000708c.bin
71ceb321ac5b2e220860d78d1eab35eb8ab86a4e7fc92df2c086aa5de8ffca7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x708C 9972 bytes
font_02_sfnt_off000092b3.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92B3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.