Malicious PDF — malware analysis report

Static analysis result for SHA-256 2630c88eb877069b…

MALICIOUS

PDF

61.2 KB Created: 2020-08-04 07:43:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b7123be00a520720156b04e7e7750524 SHA-1: f74a49325aac7630292fa414e7cdfb19a371b89e SHA-256: 2630c88eb877069ba57f849923c471f028ee257bf30bc9805781098814e57e48
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, many of which point to domains that appear to be part of a link farm. One of these links, https://ttraff.cc/pify?keyword=como+funciona+o+sistema+renina+angiotensina+aldosterona+pdf, is flagged as a malicious redirector. The presence of visible command execution instructions suggests the potential for further malicious activity, possibly involving PowerShell or similar tools, though no specific script was extracted to confirm this.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=como+funciona+o+sistema+renina+angiotensina+aldosterona+pdf
    • http://files.vnchha.com/uploads/1/3/1/3/131378950/8558967.pdf
    • http://files.tephracurlycoatedretrievers.com/uploads/1/3/1/4/131407028/pemodupalo-dawazakinawu.pdf
    • http://files.tcars.info/uploads/1/3/0/7/130739116/2999115.pdf
    • http://files.escaperoom.solutions/uploads/1/3/1/8/131858540/xipewatawekep.pdf
    • http://files.henfieldcameraclub.net/uploads/1/3/1/4/131407635/bufoku_filadegakofu_risoxitiled_godepafujebata.pdf
    • https://cdn.shopify.com/s/files/1/0441/0369/6536/files/standard_catalog_of_smith_wesson_free.pdf
    • https://cdn.shopify.com/s/files/1/0429/7824/6815/files/60242561635.pdf
    • https://cdn.shopify.com/s/files/1/0429/0094/7103/files/45742110282.pdf
    • https://cdn.shopify.com/s/files/1/0431/4988/5606/files/46687654046.pdf
    • https://cdn.shopify.com/s/files/1/0428/7650/2175/files/lozosuraxisow.pdf
    • https://cdn.shopify.com/s/files/1/0432/5372/7387/files/patoxada.pdf
    • https://cdn.shopify.com/s/files/1/0434/8064/5782/files/popek.pdf
    • https://cdn.shopify.com/s/files/1/0431/6397/5835/files/43814057619.pdf
    • https://cdn.shopify.com/s/files/1/0435/1298/7802/files/toxup.pdf
    • https://cdn.shopify.com/s/files/1/0429/1067/9203/files/gemejojaka.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/somerurunem.pdf
    • https://cdn.shopify.com/s/files/1/0433/5481/6665/files/97843874416.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008b3f.bin
ca5e32966ba7ed9e223652e2f7cf65b70e8bfffd052db5d3d57ba8f932a43e36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B3F 5380 bytes
font_01_sfnt_off00009d75.bin
78ba4bc2130a2281df2f4898693f71b313ff93454206d3d8244ac38d75fccbf7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D75 11068 bytes
font_02_sfnt_off0000c1e2.bin
717860a409c70c4bfddc50d2fdcdfdb4d009a247daa781d27df3057258cb1b21		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC1E2 16116 bytes
font_03_sfnt_off0000d6c6.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD6C6 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.