Malicious PDF — malware analysis report

Static analysis result for SHA-256 19be74a95792324a…

MALICIOUS

PDF

44.1 KB Created: 2020-08-27 13:31:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8a944eb242ea5c01d068847de57dd1f6 SHA-1: e3cdc2c8dee08156effb7f77376678ddb19f9411 SHA-256: 19be74a95792324a63f26c3be9968ecaf274dbda6afc4454f947c42d9e510d82
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a known malicious redirector. The document body itself is heavily obfuscated but contains the primary malicious URL. This suggests the document is designed to lead users to malicious sites, likely for further exploitation or credential harvesting. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=dave+lombardo+music+groups
    • http://xomifupa.ourladyoflourdes-selah.org/uploads/1/3/1/4/131438759/111125.pdf
    • http://neloro.clintoncemetery.org/uploads/1/3/0/8/130873710/8320075.pdf
    • http://files.ansomproductions.com/uploads/1/3/1/1/131164431/tolop_vekeru_xijigunutoj.pdf
    • http://files.scottpreciousmetals.com/uploads/1/3/0/7/130740213/8195174.pdf
    • http://files.cinnamonorchid.com/uploads/1/3/2/6/132695569/xukimiwokufad_samunugowagi_pebifuvasog.pdf
    • https://cdn.shopify.com/s/files/1/0436/4979/4213/files/myocardial_infarction_mcq.pdf
    • https://cdn.shopify.com/s/files/1/0466/3033/8725/files/wufupobunerotudixodajagax.pdf
    • https://cdn.shopify.com/s/files/1/0434/1451/9966/files/airport_codes.pdf
    • https://cdn.shopify.com/s/files/1/0427/6640/1692/files/dobiwodabetinejuzepu.pdf
    • https://cdn.shopify.com/s/files/1/0431/1410/2941/files/xesegodezazuguxebowirubo.pdf
    • https://cdn.shopify.com/s/files/1/0431/1393/9101/files/dutoxobuxarazokag.pdf
    • https://cdn.shopify.com/s/files/1/0431/9569/5266/files/jedetepebanoxizugemiwo.pdf
    • https://cdn.shopify.com/s/files/1/0431/6309/1112/files/naxofarigadofuwimiw.pdf
    • https://cdn.shopify.com/s/files/1/0435/0178/1156/files/36814938339.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006be8.bin
c82803febd62a49482e446b44f3607a08599e3fa909c9e940dc03638f6c8c19a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BE8 5592 bytes
font_01_sfnt_off00007ee1.bin
a36b342251bf16b9c4582433ba06316dfd03121ac5bdd6f6f7378375a9a58bb7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EE1 10804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.