Malicious PDF — malware analysis report

Static analysis result for SHA-256 3101f6718e7908f2…

MALICIOUS

PDF

137.2 KB Created: 2020-08-03 00:25:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 07933742ad1fb5a26cec77f5e9ad26e0 SHA-1: 7e5be53ef35db4c26a222796944390eb5bf84184 SHA-256: 3101f6718e7908f2fbb292f51e358fed7acbca1eb867a39153354d1296231bdc
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link

The PDF contains a prominent link that redirects to a malicious URL, disguised with a seemingly innocuous keyword. The presence of a 'download button' heuristic further supports the social engineering aspect. The document body, though heavily obfuscated, contains the same redirect URL, reinforcing the malicious intent. The large number of embedded links to external PDFs, many hosted on Shopify, suggests a link farm or redirection strategy.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=when+does+magnemite+evolve
    • http://files.sccwga.org/uploads/1/3/1/6/131637218/3661207.pdf
    • http://files.organicfanatic.com.au/uploads/1/3/0/7/130740174/603363.pdf
    • http://files.lashombspomeranians.com/uploads/1/3/1/0/131070841/zuparas_musisizutizi_jejisovo.pdf
    • http://files.klausiskoming.com/uploads/1/3/0/7/130776255/9854766.pdf
    • http://files.chemisme.com/uploads/1/3/0/8/130874143/c15ac6b6710.pdf
    • https://cdn.shopify.com/s/files/1/0433/6805/4949/files/segiwotazetonezujuluw.pdf
    • https://cdn.shopify.com/s/files/1/0429/6946/4991/files/slendytubbies_2_multiplayer.pdf
    • https://cdn.shopify.com/s/files/1/0434/0360/8231/files/xeserisadugolo.pdf
    • https://cdn.shopify.com/s/files/1/0431/8999/3636/files/tikkun_korim_online.pdf
    • https://cdn.shopify.com/s/files/1/0434/4479/7600/files/6835971759.pdf
    • https://cdn.shopify.com/s/files/1/0431/7344/5792/files/bejibopudalumonofew.pdf
    • https://cdn.shopify.com/s/files/1/0428/6434/5255/files/25734479566.pdf
    • https://cdn.shopify.com/s/files/1/0431/0836/8545/files/bekisadifemamasibugirig.pdf
    • https://cdn.shopify.com/s/files/1/0438/8909/8907/files/25921888244.pdf
    • https://cdn.shopify.com/s/files/1/0430/4571/6129/files/39383558959.pdf
    • https://cdn.shopify.com/s/files/1/0432/0077/4307/files/macbook_serial_number_lookup.pdf
    • https://cdn.shopify.com/s/files/1/0432/7781/1867/files/nba_playoffs_bracket_2014.pdf
    • https://cdn.shopify.com/s/files/1/0435/9671/0050/files/95339956464.pdf
    • https://cdn.shopify.com/s/files/1/0434/2795/4853/files/48124815367.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001cdad.bin
dac4ca97c95db3ffb4d4c2c3c7e66e39e5975192048cd85a1086d13c54190c12		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CDAD 1528 bytes
font_01_sfnt_off0001d575.bin
ba31f2b1169ecfe930bd938d6a0a5312ac5127eba3671e6a6d375ef251cf6759		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D575 5216 bytes
font_02_sfnt_off0001e71f.bin
155e7be3a906f76a56ef6c646bc09a9125c814d43804cb32717022205e9c0ce6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E71F 15116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.