Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5915e7c2eef03a1…

MALICIOUS

PDF

87.1 KB Created: 2020-08-03 05:47:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ccdaed92ed0266a0282c939c7e69499 SHA-1: 951e700cafe7adcf012e19b7408932616133c1e1 SHA-256: f5915e7c2eef03a16760d9f137c5e85278e4f10beb7b6435337db4a919d85d68
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, disguised as a "Tinkers construct cheat sheet". The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms this, and the embedded URL is the primary indicator of compromise. The file also contains a large number of external PDF links, as noted by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or SEO poisoning attempt to drive traffic to malicious sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=tinkers+construct+cheat+sheet
    • http://files.mtgcgs.org/uploads/1/3/1/0/131069899/sosifu.pdf
    • http://files.rosemaryrichings.com/uploads/1/3/0/7/130775747/72932e15c0.pdf
    • http://files.svstorm.com/uploads/1/3/1/6/131606630/loxukorufe_finabovomowu_jowexedoz_pawitujurinot.pdf
    • http://files.artbrit.com/uploads/1/3/1/0/131069987/7e1f5.pdf
    • https://cdn.shopify.com/s/files/1/0435/1537/9866/files/11218284812.pdf
    • https://cdn.shopify.com/s/files/1/0431/8098/2436/files/57634833499.pdf
    • https://cdn.shopify.com/s/files/1/0428/6126/5062/files/panixozuzopoleladiwet.pdf
    • https://cdn.shopify.com/s/files/1/0427/9658/1020/files/90004055901.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/53940500656.pdf
    • https://cdn.shopify.com/s/files/1/0439/4093/7896/files/83516035278.pdf
    • https://cdn.shopify.com/s/files/1/0431/4644/4960/files/push_project_to_github.pdf
    • https://cdn.shopify.com/s/files/1/0438/0983/3117/files/26143251868.pdf
    • https://cdn.shopify.com/s/files/1/0440/8298/7158/files/digerive.pdf
    • https://cdn.shopify.com/s/files/1/0433/3830/1594/files/59914235805.pdf
    • https://cdn.shopify.com/s/files/1/0428/9799/7991/files/33650003535.pdf
    • https://cdn.shopify.com/s/files/1/0428/9092/0099/files/kijuselo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011a0a.bin
e11422c7e109d90607836539ea6d91fa9ca96cbf77cb3dce2c70d4dd241230ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A0A 4868 bytes
font_01_sfnt_off00012a8e.bin
1d0121d29a58f6d8c074a809aad0e426a55f8a226ef2095140634556e2d477fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A8E 10904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.