Malicious PDF — malware analysis report

Static analysis result for SHA-256 31b77ae604d64488…

MALICIOUS

PDF

43.1 KB Created: 2020-08-07 07:53:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8c5b411b42fe2b278243c30412e951dd SHA-1: a2bdce5af553775f7cb37c23a5b3944ad14ad385 SHA-256: 31b77ae604d64488d8d31c7967211f68cb916d69eb496fa6fdf4505a41b0d590
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one identified as a malicious redirector. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass external PDF link farm, suggesting the document's primary purpose is to distribute links rather than provide legitimate content. The presence of the malicious redirector URL points towards an attempt to lure users to harmful sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=characteristics+of+management+accounting+pdf
    • http://files.classicalballetofcalifornia.com/uploads/1/3/1/6/131637362/6392202.pdf
    • http://tuxobudad.marynighdesign.com/uploads/1/3/0/8/130814297/gesuzevogifizakovew.pdf
    • http://files.arrowleisure.co.uk/uploads/1/3/0/7/130739648/nedob.pdf
    • http://files.nlra.org/uploads/1/3/1/4/131411474/fad4fa4727d6b70.pdf
    • http://files.outandplay.com/uploads/1/3/1/6/131607093/xubumumedamotexigulo.pdf
    • https://cdn.shopify.com/s/files/1/0430/2418/7555/files/23822840178.pdf
    • https://cdn.shopify.com/s/files/1/0427/9622/0572/files/4360461828.pdf
    • https://cdn.shopify.com/s/files/1/0427/8029/5334/files/zupexuv.pdf
    • https://cdn.shopify.com/s/files/1/0430/5308/8921/files/90711888453.pdf
    • https://cdn.shopify.com/s/files/1/0430/8451/3444/files/gedegeduzifap.pdf
    • https://cdn.shopify.com/s/files/1/0432/8806/8254/files/dotizolejirikizugafep.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/wudivilijekeroleve.pdf
    • https://cdn.shopify.com/s/files/1/0429/3433/7695/files/simitidovazojam.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mokotutirajozejimus.pdf
    • https://cdn.shopify.com/s/files/1/0430/3588/5725/files/66571393948.pdf
    • https://cdn.shopify.com/s/files/1/0437/5894/4405/files/gominosezurago.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006902.bin
d4f6db8493107919e166a6ad43a3fdf34f8b62187357cf08ab47faac663dc67d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6902 5440 bytes
font_01_sfnt_off00007b53.bin
eee39de65a838ace937b596554ec0936e0ea7734797d40a629e4569dc03cf532		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B53 10640 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.