Malicious PDF — malware analysis report

Static analysis result for SHA-256 20ed484a2119dde9…

MALICIOUS

PDF

41.2 KB Created: 2020-08-25 04:11:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 61316c02c9bc4f3f625429769447803d SHA-1: a600604fb4565bd3ad1ef91de23ae4fe4a832b41 SHA-256: 20ed484a2119dde9b80a3289070b0d92bc8041067ba75f1cd8f51fe3ea59fecb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with a critical heuristic firing indicating a link to a known malicious redirector. The document body, though partially corrupted, contains a URL that matches the redirector found in the heuristics. The presence of numerous links, many pointing to the same redirector, suggests an attempt to obscure the final malicious destination, likely a phishing or malware distribution site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=chroma+key++windows
    • http://junitet.friscotxfencing.com/uploads/1/3/0/8/130874575/1214522.pdf
    • https://cdn.shopify.com/s/files/1/0428/6346/0508/files/free_consulting_agreement_template_word.pdf
    • https://cdn.shopify.com/s/files/1/0432/8351/3494/files/tutiriwopavexifo.pdf
    • https://cdn.shopify.com/s/files/1/0436/1024/3229/files/hypernatremia_guidelines_2017.pdf
    • https://cdn.shopify.com/s/files/1/0434/0816/2974/files/fapiregosobesul.pdf
    • https://cdn.shopify.com/s/files/1/0427/7354/5116/files/algebra_worksheets_for_grade_7.pdf
    • https://cdn.shopify.com/s/files/1/0430/2520/3354/files/arrayed_waveguide_grating_wiki.pdf
    • https://cdn.shopify.com/s/files/1/0464/7383/8742/files/53988116058.pdf
    • https://cdn.shopify.com/s/files/1/0430/3287/1074/files/sales_order_process.pdf
    • https://cdn.shopify.com/s/files/1/0439/3612/0990/files/synonym_for_occupational_performance.pdf
    • https://cdn.shopify.com/s/files/1/0430/9801/3850/files/savirekonedejulig.pdf
    • https://cdn.shopify.com/s/files/1/0431/8537/3333/files/billiards_game_information.pdf
    • https://cdn.shopify.com/s/files/1/0432/8154/7424/files/verumobozidaki.pdf
    • https://cdn.shopify.com/s/files/1/0431/8353/8333/files/xamapejetenusidubu.pdf
    • https://cdn.shopify.com/s/files/1/0436/6820/9817/files/android_simple_chat_application_source_code.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000646c.bin
bb7f01ddfc10b8da41df2e10f8a7f9dd67448d1b42d5b13aaf3fe5469adc5eca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x646C 5196 bytes
font_01_sfnt_off00007605.bin
cf133c23813ff688999849e8eab718e8880418b14a478d627b0f55c84105c610		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7605 10028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.