Malicious PDF — malware analysis report

Static analysis result for SHA-256 f7df6044d3be3057…

MALICIOUS

PDF

79.5 KB Created: 2020-09-20 11:56:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4ed44fcc7fb20d5af415151169ec6e5b SHA-1: 312fa4317793ef16902dbfb586226d765bd89cf4 SHA-256: f7df6044d3be3057375047af91288a3b84eb78321ea21f2258250fb24701186e
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded links, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a lure for a 'professional cutting guide'. One of the primary links directs to a known malicious redirector, and another points to a PDF within a link farm, suggesting a phishing or malware distribution attempt.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=empire+98-in.+professional+cutting+guide
    • http://xupamom.georgetimmermans.com/uploads/1/3/1/6/131637308/kekegukotejizejeloge.pdf
    • http://files.childrensbreadministriesinc.org/uploads/1/3/1/3/131381095/1186617.pdf
    • http://files.makeuplocker.com/uploads/1/3/0/7/130776103/1353505.pdf
    • http://files.celiabravo-teachingportfolio.com/uploads/1/3/0/7/130775952/6647872.pdf
    • http://migur.reframephx.org/uploads/1/3/1/0/131070381/5277101.pdf
    • https://e151535d-1f7d-4cbc-8b8c-bdc1e0fe1668.filesusr.com/ugd/8716ab_aff9adb4496244df8f09e3e27e640891.pdf?index=true
    • https://b43c217f-7c0b-4a5c-94b9-9bf3be2bc3e2.filesusr.com/ugd/704566_0cb71833fa7445c28dbd16bcb9897143.pdf?index=true
    • https://085e7098-5021-4469-870c-3c8f50749155.filesusr.com/ugd/e481ce_22fe9110bb994224a0748a480309366b.pdf?index=true
    • https://8f309a0e-1a19-49f6-b5ed-4f848dc10888.filesusr.com/ugd/0a052f_331d16149bfd48d982eaa7c4e74ae368.pdf?index=true
    • https://f4a379fe-f04a-4f2c-b597-a6add6f62b36.filesusr.com/ugd/c618e9_968e94b6646047e7b9b05729e9cd00b4.pdf?index=true
    • https://cdeb3170-9e7c-42c9-a3c3-a749cddd1db0.filesusr.com/ugd/d162e3_812e51f72f814894b1c79fad7a342ad8.pdf?index=true
    • https://364ed03f-3343-4d26-a2c5-27a0f7eaaf17.filesusr.com/ugd/77941b_3db0dc6295954a3397e02ffe421cff7f.pdf?index=true
    • https://fccce0a9-12b9-42aa-b7f6-8e0c3d7a91a4.filesusr.com/ugd/9757e7_08e96b1794074120a1e04bd7acbbf6c5.pdf?index=true
    • https://c7ef83d7-63e3-4ab1-830e-7431f430a07a.filesusr.com/ugd/bae0a0_80c8f921e71445ea93e12092bc37e67b.pdf?index=true
    • https://b173bc81-52f7-441e-9989-d55bd8fef0ba.filesusr.com/ugd/120f26_5ffdfaf906a44376aa307e1c817a8e0f.pdf?index=true
    • https://7538abad-43f3-47fa-baa6-7b4ba4f35a3a.filesusr.com/ugd/822ecd_eb6dc87b24944c20ade1b26997712cb6.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d261.bin
d5c500424cfb2d15be85f02a965afdeb37ee7a2e59064d91704d54007c16bf2b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD261 5848 bytes
font_01_sfnt_off0000e633.bin
b06b0e2464790f33c78fc163423d18792f2668335f73e84930bd5a843ef50727		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE633 3036 bytes
font_02_sfnt_off0000f2b4.bin
2079174e7409fbb65af3547a700dadd33e03daff5a99b8e3c82dc6291828876d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF2B4 11660 bytes
font_03_sfnt_off00011a1c.bin
89b286494db5be87180cd882e0f5f088c68c4f8e5944637fb3dc22cde5a4571a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A1C 16248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.