Malicious PDF — malware analysis report

Static analysis result for SHA-256 302a44ea50d73c0b…

MALICIOUS

PDF

48.5 KB Created: 2020-08-06 19:41:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a82f06d4f1e187915104e2ca2efa024 SHA-1: 942a80b2716b213c95c2d3e1c7cf6678e2576022 SHA-256: 302a44ea50d73c0b5bd7437ff1ec8dee734c0710227c45d22c2cc03d23d49e5b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one heuristic specifically identifying a malicious redirector. The document body, though heavily obfuscated, contains a reference to 'amore e psiche neumann pdf' and the malicious URL. The presence of numerous external PDF links suggests a link farm or SEO poisoning tactic to distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=amore+e+psiche+neumann+pdf
    • http://files.upbeatelectronics.com/uploads/1/3/1/3/131379049/webewir.pdf
    • http://files.guidedchildrensadoration.com/uploads/1/3/1/6/131607131/34b0fa7.pdf
    • http://zifefuv.togetherincounselling.co.uk/uploads/1/3/2/3/132302939/nabarafasaromep.pdf
    • https://cdn.shopify.com/s/files/1/0428/3770/4867/files/gallbladder_surgery_diet.pdf
    • https://cdn.shopify.com/s/files/1/0436/0149/4178/files/46611897397.pdf
    • https://cdn.shopify.com/s/files/1/0431/8694/6206/files/xoxeligonesamesepekupagal.pdf
    • https://cdn.shopify.com/s/files/1/0428/8079/4780/files/pederaguxojaguxuwumini.pdf
    • https://cdn.shopify.com/s/files/1/0433/6844/8165/files/42139171222.pdf
    • https://cdn.shopify.com/s/files/1/0436/4160/2208/files/97989733150.pdf
    • https://cdn.shopify.com/s/files/1/0434/0360/8214/files/55918234555.pdf
    • https://cdn.shopify.com/s/files/1/0430/3156/0354/files/4416521526.pdf
    • https://cdn.shopify.com/s/files/1/0434/0151/1064/files/34562194437.pdf
    • https://cdn.shopify.com/s/files/1/0431/9733/3668/files/sisaxu.pdf
    • https://cdn.shopify.com/s/files/1/0428/1873/2191/files/joxapu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007f06.bin
afe9daec8c215ccd762f5a368d308524b386bd8c535013a49249636101b426d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F06 5352 bytes
font_01_sfnt_off00009111.bin
d153cc5845f06ff607b381d7edbee78df4760cff0e48fc80cdb5cc0abf975520		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9111 11092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.