Malicious PDF — malware analysis report

Static analysis result for SHA-256 2e62be6d924f52ba…

MALICIOUS

PDF

49.0 KB Created: 2020-08-20 08:52:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 50fa41fa4ac4501131392280b1fe04b3 SHA-1: ead881d927000254bbf6360ef860bfb7cb0be750 SHA-256: 2e62be6d924f52ba3f5123d1e4fc337e4ac803e5b0e7234eabbb6b42a9bdf85e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, a common tactic for SEO poisoning or redirecting users to malicious sites. One of the embedded URLs, https://ttraff.cc/pify?keyword=como+construir+techos+verdes+pdf, is identified as a known malicious redirector. The document body appears to be garbled but contains references to 'Como construir techos verdes pdf' and 'wkhtmltopdf', suggesting a lure related to green roofs or a technical document. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=como+construir+techos+verdes+pdf
    • http://zidig.bviolinsltd.com/uploads/1/3/2/6/132681352/sububogopinaliluteve.pdf
    • https://cdn.shopify.com/s/files/1/0435/1744/4264/files/how_to_use_pi_in_python.pdf
    • https://cdn.shopify.com/s/files/1/0436/1617/4243/files/48489726790.pdf
    • https://cdn.shopify.com/s/files/1/0431/7279/0427/files/merufejufuxemuxuz.pdf
    • https://cdn.shopify.com/s/files/1/0428/3187/2166/files/komop.pdf
    • https://cdn.shopify.com/s/files/1/0428/0070/9791/files/80050329447.pdf
    • https://cdn.shopify.com/s/files/1/0433/3302/5960/files/34144905846.pdf
    • https://cdn.shopify.com/s/files/1/0462/6766/2490/files/vibekuzuvepufowumegufexo.pdf
    • https://cdn.shopify.com/s/files/1/0433/4852/5206/files/84266685500.pdf
    • https://cdn.shopify.com/s/files/1/0429/4829/6857/files/divagasetamaxozirip.pdf
    • https://cdn.shopify.com/s/files/1/0434/9807/8372/files/xorikurubuwafe.pdf
    • https://cdn.shopify.com/s/files/1/0434/4433/8838/files/5035488068.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000714b.bin
f883e82e0857042a4e9a91b257b71d83b251085f7e9ae85ac4fbb28f8e90dbe9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x714B 5120 bytes
font_01_sfnt_off0000828e.bin
f56073003768946d57369709b3043be3f4798c6515695fdec8b6121ef4e57ab3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x828E 11340 bytes
font_02_sfnt_off0000a761.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA761 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.