Malicious PDF — malware analysis report

Static analysis result for SHA-256 fcc401c811eb0ddc…

MALICIOUS

PDF

46.1 KB Created: 2020-09-01 14:07:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5479fb69d563a0c81ffd255d4a32285a SHA-1: 64c67b2f19019ca7c26b1f59e18b4a401cbac45e SHA-256: fcc401c811eb0ddc0f44135c7f25796f6ecf82c4b3b74be8e897e379ff5cf823
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link that redirects to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though partially corrupted, contains text referencing 'Ausfund super rollover form' and the malicious URL, suggesting a phishing lure. The PDF also contains a large number of external links, characteristic of SEO spam or link farms, further supporting the malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=ausfund+super+rollover+form
    • https://cdn.shopify.com/s/files/1/0431/5761/8850/files/37254429059.pdf
    • https://cdn.shopify.com/s/files/1/0432/5546/4104/files/95439586947.pdf
    • https://cdn.shopify.com/s/files/1/0431/3923/5989/files/rijokuwowigof.pdf
    • https://static.usrfiles.com/ugd/79cb75_fd99eba166ef4224bd1c0457f8d51011.pdf
    • https://static.usrfiles.com/ugd/eb6612_11432933a54b4ce5952f5387bcbae847.pdf
    • https://static.usrfiles.com/ugd/40b9e6_fb3baf9f5bd5432c80ccf83f57d7321b.pdf
    • https://static.usrfiles.com/ugd/4bdc6d_a53f2a9b63c646dda3731e6270b5e592.pdf
    • https://static.usrfiles.com/ugd/7e6083_a5bd99ae5dd44735986fa4cecf5ac7ff.pdf
    • https://static.usrfiles.com/ugd/278743_b95858b51a5143b6b02ac2d313af8509.pdf
    • https://static.usrfiles.com/ugd/b8c837_da91eb6cea424e249b9b5cf871653045.pdf
    • https://static.usrfiles.com/ugd/09273f_22e1e7dcf0a44ad89228b9997211087e.pdf
    • https://static.usrfiles.com/ugd/0cd3a8_fe60b097e7354bd9a2f1d5020b1a9257.pdf
    • https://static.usrfiles.com/ugd/724fb5_a44dfcd095ef4796b4c92cd272e83794.pdf
    • https://static.usrfiles.com/ugd/2f07a1_096f2149e1474f9e8e537306f66151ce.pdf
    • https://static.usrfiles.com/ugd/6203b9_6a31112ed7944257af3e89e7a6473aff.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006a57.bin
b3580244ceb0b7c2aa4703805ddeb61f8a5812a537fd4af96f3ee69b2073bbe7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A57 4780 bytes
font_01_sfnt_off00007a73.bin
88d341c095436805b295a430812e16b0de80c4f9acf0703799bbbf7aa730cb4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A73 10184 bytes
font_02_sfnt_off00009d37.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D37 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.