Malicious PDF — malware analysis report

Static analysis result for SHA-256 1fa205ab4e68b1de…

MALICIOUS

PDF

103.2 KB Created: 2020-08-09 04:33:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6bb6a8d1e141be42c959ff89a8c48a85 SHA-1: bbb56c5ca00cd4ea2bbf8b1c4dfdea29a98606a8 SHA-256: 1fa205ab4e68b1de88542f75dcf517cc9dde07c4c35d5952b3b3517b8ce4b05b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous links, including one pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text suggesting it is a lure for an 'lg an mr600 manual pdf'. The primary malicious IOC is the redirector URL, which likely leads to further malicious content. The file farm heuristic indicates a large number of outbound links, common in SEO poisoning attacks.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=lg+an+mr600+manual+pdf
    • http://vazavew.bakemydaycakes.net/uploads/1/3/0/7/130775403/27c9bd.pdf
    • http://files.fujiwigs.com/uploads/1/3/1/6/131637291/siletez.pdf
    • http://tedulozo.tritoncopywriting.com/uploads/1/3/0/7/130775219/dedugu.pdf
    • http://disex.applied-magnetics-shop.com/uploads/1/3/0/8/130814328/3755351.pdf
    • https://cdn.shopify.com/s/files/1/0432/8180/9566/files/ap_grama_sachivalayam_notification.pdf
    • https://cdn.shopify.com/s/files/1/0428/8767/6063/files/15009543359.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lonuxifipepi.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/babasetaxoguvivowe.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/lejozusuxawunulimedobina.pdf
    • https://cdn.shopify.com/s/files/1/0433/0441/9478/files/cardiovascular_disease.pdf
    • https://cdn.shopify.com/s/files/1/0432/9809/5272/files/lolufojozer.pdf
    • https://cdn.shopify.com/s/files/1/0432/4897/6032/files/23671393390.pdf
    • https://cdn.shopify.com/s/files/1/0431/8163/7794/files/lapolapodolelopu.pdf
    • https://cdn.shopify.com/s/files/1/0437/2607/8101/files/28120434425.pdf
    • https://cdn.shopify.com/s/files/1/0440/5228/3542/files/28099057025.pdf
    • https://cdn.shopify.com/s/files/1/0428/1889/6038/files/5786537764.pdf
    • https://cdn.shopify.com/s/files/1/0435/3985/7572/files/xolex.pdf
    • https://cdn.shopify.com/s/files/1/0438/1789/4050/files/95080609063.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000b6d0.bin
a238b6707dbffd17c4921398c9f75c473b7d1f432657a9e5f4c71bd3794bcf13		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB6D0 33276 bytes
font_01_sfnt_off00011d69.bin
c38388ab5c8ef04ed31f103711f7155626b66383e5f008e61655818018ccae41		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D69 5420 bytes
font_02_sfnt_off00012fbd.bin
57faa4cb684a4555edbca555712bf075adaa3bbc7469c77c8c20711819b66f2b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12FBD 6520 bytes
font_03_sfnt_off00013f6d.bin
5050245d405947b4eab0be6447f7e0dda993ae8e4c9808b557619abc2b68f52c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F6D 19828 bytes
font_04_sfnt_off000177be.bin
2db58c1ef4f22c986bda6e874b131e438e1352bbc36f6609e3a9b583c4c41b41		 pdf-font-stream PDF embedded font (sfnt) at offset 0x177BE 16596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.