Malicious PDF — malware analysis report

Static analysis result for SHA-256 fed8f54bc7ea24f9…

MALICIOUS

PDF

43.7 KB Created: 2020-08-30 09:48:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5cd9619d5c2d773ac162bdb638856973 SHA-1: 8034e4514f3afdac0030ab400d30ef1a56b353e1 SHA-256: fed8f54bc7ea24f91fa08f9209b7b5aacc18504bcfe148d21376a3b8fdcdc1fb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a malicious redirector link. The document body, though heavily obfuscated, also contains the same URL. This suggests the primary purpose is to redirect the user to a malicious site. The file also contains a large number of external PDF links, which is indicative of a link farm, potentially for SEO poisoning or to obscure the malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=pakonomainen+raapiminen+oireyhtym%25C3%25A4
    • https://static.usrfiles.com/ugd/b77b08_f4308da0c6474b02a569bd83e131e66f.pdf
    • https://static.usrfiles.com/ugd/b8c837_54730b8e1bef4a45af9400fd92cb71b1.pdf
    • https://static.usrfiles.com/ugd/b8c837_235f415b5d794238838a0d95b049f254.pdf
    • https://static.usrfiles.com/ugd/47b1e8_ab6a6f72673c4ca3b55f3812daf7bd2d.pdf
    • https://cdn.shopify.com/s/files/1/0433/7070/9142/files/27707124070.pdf
    • https://cdn.shopify.com/s/files/1/0440/1581/2766/files/doboziruragaj.pdf
    • https://cdn.shopify.com/s/files/1/0433/4970/4854/files/87763719964.pdf
    • https://cdn.shopify.com/s/files/1/0428/3452/6375/files/bukixanivuzu.pdf
    • https://cdn.shopify.com/s/files/1/0431/2809/4882/files/44628659664.pdf
    • https://cdn.shopify.com/s/files/1/0432/8531/5737/files/56031134455.pdf
    • https://cdn.shopify.com/s/files/1/0428/0962/2691/files/kovuvirexegidi.pdf
    • https://cdn.shopify.com/s/files/1/0428/2672/7580/files/lijamafutelonovumonutu.pdf
    • https://cdn.shopify.com/s/files/1/0431/1914/9216/files/5513267637.pdf
    • https://cdn.shopify.com/s/files/1/0431/3382/9277/files/7428704825.pdf
    • https://cdn.shopify.com/s/files/1/0433/2430/9659/files/aspera_client_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c05.bin
8d870d471c271173e110fd2c6ed57a0df44871eea245b8c91ccbd1d6abb5fe71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C05 5252 bytes
font_01_sfnt_off00007d2d.bin
1c244908ccf46e0d910a42f9c96e4611fe7e03a76f7b76fc651cebb108e06137		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D2D 10336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.