Malicious PDF — malware analysis report

Static analysis result for SHA-256 f52533e6d2da2952…

MALICIOUS

PDF

43.2 KB Created: 2020-09-29 21:59:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b07100cc915a27a179424d2d9f74501b SHA-1: 5056e3ae0dd887f86c6e00605bc70d015fbf2789 SHA-256: f52533e6d2da29520c3febc940040725830237db8f0a36660da73c714dbac645
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains embedded links that redirect to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body and heuristics suggest a lure impersonating a cloud document service to trick the user into clicking the malicious link. The primary malicious link identified is https://gettraff.ru/strik?keyword=cnet+download+pdf+reader, which likely serves as a gateway to further malicious content or malware.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Cloud document impersonation lure medium SE_CLOUD_DOC_LURE
    Document impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=cnet+download+pdf+reader
    • http://vaniror.agshield.com/uploads/1/3/1/4/131407178/3768584.pdf
    • http://tubawo.carysjonesscenicpainter.com/uploads/1/3/0/7/130739783/kipixamobudexav.pdf
    • http://pixawa.sandlotwesterville.com/uploads/1/3/1/6/131637881/e8ee6.pdf
    • http://files.livealifeofservice.org/uploads/1/3/1/8/131856646/7f66c3c053f5b16.pdf
    • https://site-1036911.mozfiles.com/files/1036911/gitubuvipa.pdf
    • https://site-1037253.mozfiles.com/files/1037253/wibejumakizazugigelepexiv.pdf
    • https://site-1036838.mozfiles.com/files/1036838/wanevepamewidifofomovaf.pdf
    • https://site-1037111.mozfiles.com/files/1037111/xigimudelefupoj.pdf
    • https://site-1036935.mozfiles.com/files/1036935/voferugubovuv.pdf
    • https://site-1036655.mozfiles.com/files/1036655/88220647338.pdf
    • http://gubumo.hifacestudio.com/uploads/1/3/1/3/131379070/5308bf87055df8.pdf
    • http://nikuri.ennstech.com/uploads/1/3/1/4/131453150/3897592.pdf
    • http://morev.harunaflute.net/uploads/1/3/2/6/132681927/kigoridiji_bupevirosorisu.pdf
    • http://files.sbelart.com/uploads/1/3/2/8/132814505/jowalinil_tomumegulefaf_metamosegagok.pdf
    • http://rozezes.swinhopelabradorsandgermanshepherds.com/uploads/1/3/2/7/132740813/9600933.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006cc0.bin
b513df445ab6a1bf4f462004d5030d6d7ad8e258630e931c446c0e36034daa8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CC0 4856 bytes
font_01_sfnt_off00007d61.bin
694e532a5ce2f7afb5b8324675deec70aa8067559d63b5e1b66d2768ad904bbe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D61 10152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.