Malicious PDF — malware analysis report

Static analysis result for SHA-256 f73e7c41d8a65e82…

MALICIOUS

PDF

42.3 KB Created: 2020-09-01 06:01:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 853bec578c629e71a507cd8a8956df16 SHA-1: 7efc29b85a6ece5384ea9e2dc0b4758c8a4c51f7 SHA-256: f73e7c41d8a65e82566d7d995ca0f3fb7ec5feedf95c489f7f3c5fc2c7a4f536
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm and a direct link to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'antivirus kaspersky internet security 2019 free', suggesting a lure. The primary malicious IOC is the redirector URL, which is likely used to funnel victims to a malicious site. The PDF structure and embedded links indicate a social engineering attack aiming to trick users into clicking the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=antivirus+kaspersky+internet+security+2019+free
    • https://cdn.shopify.com/s/files/1/0437/9177/7952/files/gutabirepaviwolobu.pdf
    • https://cdn.shopify.com/s/files/1/0428/8774/1607/files/67090978082.pdf
    • https://cdn.shopify.com/s/files/1/0437/0422/1846/files/codycross_answers_group_30_puzzle_4.pdf
    • https://cdn.shopify.com/s/files/1/0431/4890/2557/files/how_to_delete_a_layer_in_photoshop.pdf
    • https://cdn.shopify.com/s/files/1/0437/7794/9848/files/98263889814.pdf
    • https://cdn.shopify.com/s/files/1/0440/1361/7302/files/endorsement_letter_sample.pdf
    • https://cdn.shopify.com/s/files/1/0429/0494/4807/files/unbreakable_machine_doll_light_novel_download.pdf
    • https://cdn.shopify.com/s/files/1/0429/7365/9292/files/3143804041.pdf
    • https://cdn.shopify.com/s/files/1/0428/5497/3606/files/348928514.pdf
    • https://static.usrfiles.com/ugd/a01749_4a2e517933c04ada9633e960a99b48ea.pdf
    • https://static.usrfiles.com/ugd/963627_ff3f498fa485423197b23b5c66f0406b.pdf
    • https://static.usrfiles.com/ugd/48f461_d0739dd666fb4837bc9b8d9649cfed15.pdf
    • https://static.usrfiles.com/ugd/b8c837_bf9afa210ccd4576ace0f8eb31f8251d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://static.usrfiles.com/ugd/b8c837_bf9afa210ccd4576ace

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c56.bin
c200556e3ae078b9b994f7355bf50310ddc21208f951a01dd734d37ae603290a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C56 5672 bytes
font_01_sfnt_off00006fcb.bin
f3b16af6e329afbc23d930a26ad1777b538e5faf8997f21aef7fcc668512ff25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FCB 14164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.