Malicious PDF — malware analysis report

Static analysis result for SHA-256 f949e531045f09de…

MALICIOUS

PDF

40.3 KB Created: 2020-09-01 04:52:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 77ec2166c8dd6a8eb2cb111192631943 SHA-1: 3b3cfa2f680e29b4750da6cd0a0e242699ba5936 SHA-256: f949e531045f09de740dcdf284c669f61cc7f02434c8981f3c1f636cc388647a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to a redirector service. The document body, though heavily obfuscated, contains a URL that appears to be part of a search query, likely intended to disguise the malicious redirector. The primary heuristic indicates the PDF links to known malicious redirector infrastructure, suggesting a phishing or scam attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=xl+twin+flannel+sheets+target
    • https://static.usrfiles.com/ugd/badafb_4dc0914412ed4abfab82e6a4ac8d168c.pdf
    • https://static.usrfiles.com/ugd/913720_b0f80bc391b14e2b9a8bd489789df031.pdf
    • https://static.usrfiles.com/ugd/b8c837_e2c05fe871cd4a9784b5200d3a77d298.pdf
    • https://static.usrfiles.com/ugd/eaf48f_8e8d10c86cd34f6f890f9e7a93091bdb.pdf
    • https://static.usrfiles.com/ugd/9b5f63_4c7f27fd9cf246e89ed62279821d4d49.pdf
    • https://cdn.shopify.com/s/files/1/0440/8036/5720/files/66208012435.pdf
    • https://cdn.shopify.com/s/files/1/0429/3240/4380/files/pikawekexarumofis.pdf
    • https://cdn.shopify.com/s/files/1/0434/2461/2509/files/33483756463.pdf
    • https://cdn.shopify.com/s/files/1/0466/9043/5236/files/safuwusubixetow.pdf
    • https://static.usrfiles.com/ugd/5af86b_3c586ebd4820403b99e14272a5a3788e.pdf
    • https://static.usrfiles.com/ugd/b8c837_2ea3711ed59f43fa8387ef0deb4c719f.pdf
    • https://static.usrfiles.com/ugd/b77b08_29a4be374d5645d48bf7842e28603fdb.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/lozafawofife.pdf
    • https://cdn.shopify.com/s/files/1/0457/5857/8852/files/49340964537.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000523f.bin
bdfe20962e128dc2531d1c9525f114c4c878446e4f96a53bfc94952488f1271d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x523F 4776 bytes
font_01_sfnt_off0000626c.bin
e0da0c6033143f8077e1d84fd9964774451fa3ba6e97334abe28c48e87b2a04e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x626C 10664 bytes
font_02_sfnt_off00008668.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8668 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.