Malicious PDF — malware analysis report

Static analysis result for SHA-256 288651d4ec819d82…

MALICIOUS

PDF

43.4 KB Created: 2020-08-21 03:09:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 588e1c3726c0d03b47d62c6719363f91 SHA-1: f8176aff764506eabe450bc18386339318b28f66 SHA-256: 288651d4ec819d82fbde085a2b608ae8b7fe48eaa7e7bedbca0b617aa1e87f97
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, which points to a URL containing 'openshot video editor 32 bit windows'. This suggests a social engineering lure to trick users into downloading unwanted or malicious software. The document body also contains this URL and numerous other links, many hosted on Shopify, which is indicative of a link farm used for SEO poisoning or distributing malware. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=openshot+video+editor++32+bit+windows
    • http://fisojaf.unisonwestberks.com/uploads/1/3/1/3/131380480/1946652.pdf
    • http://lototob.pulsefitnessmandan.com/uploads/1/3/0/7/130776031/webalupij_wimuwapolivi_wugijigiz_vidadi.pdf
    • http://files.med4medics.org/uploads/1/3/1/4/131406797/5781143.pdf
    • https://cdn.shopify.com/s/files/1/0433/6680/9765/files/fexatonexitil.pdf
    • https://cdn.shopify.com/s/files/1/0437/9289/2061/files/98207071567.pdf
    • https://cdn.shopify.com/s/files/1/0428/2197/6220/files/10105438548.pdf
    • https://cdn.shopify.com/s/files/1/0430/3591/8489/files/30690672557.pdf
    • https://cdn.shopify.com/s/files/1/0433/3905/5253/files/8319316747.pdf
    • https://cdn.shopify.com/s/files/1/0436/6955/3305/files/35890163858.pdf
    • https://cdn.shopify.com/s/files/1/0433/4059/5352/files/can_t_hurt_me_book_free.pdf
    • https://cdn.shopify.com/s/files/1/0429/9050/2051/files/64025410589.pdf
    • https://cdn.shopify.com/s/files/1/0428/9619/5737/files/61405706005.pdf
    • https://cdn.shopify.com/s/files/1/0428/3655/7987/files/54222961846.pdf
    • https://cdn.shopify.com/s/files/1/0431/0535/3885/files/12866848628.pdf
    • https://cdn.shopify.com/s/files/1/0431/7226/6138/files/2144313216.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006a3b.bin
ac2c4e0fdfa2bcde9b9378dccd39d1e0970d46ebabbd89662db7014423a40126		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A3B 5420 bytes
font_01_sfnt_off00007cac.bin
890c3293654af4b96fa6e9579ae0b10b7308f11506150a1ba655088e0a8b4ce5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CAC 10684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.