Malicious PDF — malware analysis report

Static analysis result for SHA-256 19f095456a0c5cd1…

MALICIOUS

PDF

58.7 KB Created: 2020-08-18 13:32:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 74987ca755ab078ac549cfdb5090cd30 SHA-1: f548648f0ac792c1541adeac0577dbbb5cdf7214 SHA-256: 19f095456a0c5cd129073b90173ad14c2eb00f35da7a03e5634c249111df81ee
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a redirector service, which is a common technique for phishing and malware distribution. The document body, though heavily garbled, contains keywords related to drivers and the redirector URL itself is designed to look like a search result for a driver. The presence of a link farm further suggests malicious intent to obscure the true destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=qualcomm+atheros+ar9285+wireless+driver
    • http://files.wildflowerenterprises.net/uploads/1/3/1/4/131484029/ad33fb45.pdf
    • http://rebobapum.witneyhypnotherapy.co.uk/uploads/1/3/0/9/130969352/f8420ded.pdf
    • https://cdn.shopify.com/s/files/1/0429/4639/6326/files/mapa_mundi_para_colorir.pdf
    • https://cdn.shopify.com/s/files/1/0434/7301/0845/files/lamopuxoniralufuw.pdf
    • https://cdn.shopify.com/s/files/1/0427/8606/2495/files/77354846530.pdf
    • https://cdn.shopify.com/s/files/1/0428/7463/4403/files/vakafetagikivun.pdf
    • https://cdn.shopify.com/s/files/1/0427/9848/1564/files/rukojele.pdf
    • https://cdn.shopify.com/s/files/1/0431/4903/3627/files/xugotowapitigomexidemed.pdf
    • https://cdn.shopify.com/s/files/1/0428/3564/0487/files/golden_eye_openblocks.pdf
    • https://cdn.shopify.com/s/files/1/0434/6413/0726/files/chennai_central_video_platform.pdf
    • https://cdn.shopify.com/s/files/1/0428/7044/0095/files/fivotegexuputomevapitata.pdf
    • https://cdn.shopify.com/s/files/1/0428/6690/1148/files/33386105623.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005cc9.bin
f786a127250524f9e709a0b2298bee3e354e6221ae556ecad087225a19a5eff8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CC9 7452 bytes
font_01_sfnt_off000075e6.bin
c7b5f76b09267ec859efc06c3d5d53d3c4e22a2ac8cee2230af3a4d3b6433494		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75E6 5776 bytes
font_02_sfnt_off0000899b.bin
30d3961479f75ca67f61cbd0d8e2eed4ac355f015b8424af9c910467d58cb996		 pdf-font-stream PDF embedded font (sfnt) at offset 0x899B 17124 bytes
font_03_sfnt_off0000bdba.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBDBA 4324 bytes
font_04_sfnt_off0000cbbc.bin
0dad79264e9df2bbf842a03aa59f594ee271c9c5c23bb94622772193fc991315		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCBBC 3868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.