Malicious PDF — malware analysis report

Static analysis result for SHA-256 2fb7cba2a65c00ea…

MALICIOUS

PDF

71.6 KB Created: 2020-08-05 16:55:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8e3e415e60aeccb9b6ac4448f9b0d2bb SHA-1: c22937a8483049adbc8d7545990e16ea3f77e9e0 SHA-256: 2fb7cba2a65c00eab44b5f124dc50a7dd2f6ae022e4fc05479793f82186d0c6f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded links, with one critical heuristic identifying a link to a known malicious redirector. The document body, though heavily obfuscated, contains a URL that appears to be the primary lure. The presence of a link farm suggests an attempt to manipulate search engine results to distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=alexander+hamilton+federalist+papers+pdf
    • http://files.eosfp.com/uploads/1/3/2/6/132696018/2500595.pdf
    • http://files.leatherlondonguide.com/uploads/1/3/1/8/131856234/1893753.pdf
    • http://files.pegasusclinics.com/uploads/1/3/1/4/131438260/rufud.pdf
    • http://nijuki.theadventuroussmith.com/uploads/1/3/0/7/130739204/4c39319dbf1.pdf
    • https://cdn.shopify.com/s/files/1/0430/4715/7911/files/gawesa.pdf
    • https://cdn.shopify.com/s/files/1/0433/6464/7077/files/vovekemefivivinal.pdf
    • https://cdn.shopify.com/s/files/1/0428/7679/7081/files/19232916761.pdf
    • https://cdn.shopify.com/s/files/1/0435/4169/2567/files/66579628733.pdf
    • https://cdn.shopify.com/s/files/1/0432/6942/3269/files/watisetik.pdf
    • https://cdn.shopify.com/s/files/1/0437/7808/0925/files/gururefixuzaxopa.pdf
    • https://cdn.shopify.com/s/files/1/0433/7742/6584/files/vodidifubojasi.pdf
    • https://cdn.shopify.com/s/files/1/0431/0843/4081/files/segukizufexiziludomimovos.pdf
    • https://cdn.shopify.com/s/files/1/0431/3759/7607/files/kemeturajefetugebajubev.pdf
    • https://cdn.shopify.com/s/files/1/0438/4410/8453/files/oxford_picture_dictionary_english_spanish_download.pdf
    • https://cdn.shopify.com/s/files/1/0428/6735/9900/files/75850498658.pdf
    • https://cdn.shopify.com/s/files/1/0432/2027/1264/files/sebumafofunar.pdf
    • https://cdn.shopify.com/s/files/1/0434/1045/6726/files/zelazukibabopenuzas.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dbb8.bin
36e7410f8b8910890b821d8ee518ab9344f618b2b0f7bbd78afe4a2e90bb0a09		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDBB8 5340 bytes
font_01_sfnt_off0000edbd.bin
7964ff70ecb06ec5f7703e9a3987435bac65fc132d3d746ee43a10e743394c01		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDBD 10260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.