Malicious PDF — malware analysis report

Static analysis result for SHA-256 fd7305bde7ead952…

MALICIOUS

PDF

46.1 KB Created: 2020-08-19 19:39:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6932e023f0fb972ab734bb98e3b48ef4 SHA-1: 5c370cba375c72e3c6e66176f37a8c105c5bb1ad SHA-256: fd7305bde7ead9524c79f417674037a9782fdef18fac811e76b4547fe60d5347
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a link that redirects to a malicious URL, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body text, though partially corrupted, suggests a lure related to a "click plc manual". The PDF also contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic, which is a common technique for distributing malicious content or engaging in SEO abuse. The primary IOC is the redirector URL, which is likely used to funnel victims to a malicious payload.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=click+plc+manual
    • http://files.hiqsgroup.com/uploads/1/3/1/3/131381003/fc85d9.pdf
    • http://files.passmankade.com/uploads/1/3/0/7/130740112/c0d6fb4aae5.pdf
    • https://cdn.shopify.com/s/files/1/0432/0477/2000/files/22700587225.pdf
    • https://cdn.shopify.com/s/files/1/0431/7757/4557/files/46974648058.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/5081520916.pdf
    • https://cdn.shopify.com/s/files/1/0446/9365/1610/files/93740973527.pdf
    • https://cdn.shopify.com/s/files/1/0432/2931/5229/files/15983330527.pdf
    • https://cdn.shopify.com/s/files/1/0431/9032/1313/files/5121052209.pdf
    • https://cdn.shopify.com/s/files/1/0432/9861/9557/files/beguzazowonozijozixome.pdf
    • https://cdn.shopify.com/s/files/1/0430/1540/5725/files/device_electronics_for_integrated_circuits.pdf
    • https://cdn.shopify.com/s/files/1/0434/5911/7222/files/57239690975.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000787b.bin
3bca4948b58dbdd9c79d6b878c80ae70e21bb72738907f493e3c0c63875a8ae2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x787B 4772 bytes
font_01_sfnt_off0000889b.bin
e4a6e1bf76a4343f719bb1b8aae6ade1a3fae62d8e23fa00579932e7755116d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x889B 10360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.