Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d81c8a14a80da45…

MALICIOUS

PDF

44.4 KB Created: 2020-08-18 16:07:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a5ef2c35fa2862babb60628891622b2 SHA-1: 4ee67f0e1ab8b76528d1d003383a530f1b37e0a2 SHA-256: 2d81c8a14a80da451b3fde1dd219d7d389ee164cb5b8a3c7700bf6a31b9b4972
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains text related to plant identification and references the malicious URL. This suggests a lure to a link farm or phishing site, disguised as a helpful guide. No scripts were extracted, and the primary malicious activity appears to be link-based redirection.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=pflanzen+bestimmen+blattform
    • http://files.seattlefirstbaptist.org/uploads/1/3/2/3/132303080/81e42db7c9176.pdf
    • http://files.jfrancoist-shirtsdesigns.com/uploads/1/3/0/7/130775245/3280940.pdf
    • https://cdn.shopify.com/s/files/1/0429/6785/9359/files/dokozedil.pdf
    • https://cdn.shopify.com/s/files/1/0428/5857/8086/files/tom_clark_gnome_price_guide.pdf
    • https://cdn.shopify.com/s/files/1/0431/7839/3764/files/splashtop_wired_xdisplay_for_pc.pdf
    • https://cdn.shopify.com/s/files/1/0446/2054/6211/files/93505090400.pdf
    • https://cdn.shopify.com/s/files/1/0429/5039/4019/files/77262708933.pdf
    • https://cdn.shopify.com/s/files/1/0430/3034/7938/files/basojatisufobepi.pdf
    • https://cdn.shopify.com/s/files/1/0431/6702/3259/files/61753849369.pdf
    • https://cdn.shopify.com/s/files/1/0432/6758/8252/files/63736825682.pdf
    • https://cdn.shopify.com/s/files/1/0431/2262/2621/files/70859376100.pdf
    • https://cdn.shopify.com/s/files/1/0441/2506/1272/files/love_chronicles_secrets_revealed.pdf
    • https://cdn.shopify.com/s/files/1/0459/2451/5989/files/dictionary_english_to_bengali_free_jar.pdf
    • https://cdn.shopify.com/s/files/1/0432/4848/4507/files/90039458158.pdf
    • https://cdn.shopify.com/s/files/1/0437/3607/2341/files/jimapabagi.pdf
    • https://cdn.shopify.com/s/files/1/0432/3803/1518/files/didujivafasagedokopu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066ff.bin
81aca06d6e57bb23007a8887e6a5fa07b554729f0ecca8680918d6897cd8464b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66FF 5104 bytes
font_01_sfnt_off0000784d.bin
caf88b9a084d0893c7e95d080ef60a20b8936288ae90dc19e6e4226066e3f866		 pdf-font-stream PDF embedded font (sfnt) at offset 0x784D 14440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.