Malicious PDF — malware analysis report

Static analysis result for SHA-256 3469bea55349016b…

MALICIOUS

PDF

45.8 KB Created: 2020-08-07 20:32:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7bba4c976e307f13d21d5450fa74372d SHA-1: 3ea320c647745109b31d0853614a8731bd936dec SHA-256: 3469bea55349016bf896402fb696f895e7485004f08770fcef581c8e648105a2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains the text 'Imunisasi bias pdf' and the malicious URL, suggesting a lure to trick users into clicking the link. The presence of numerous links indicates a potential SEO poisoning or link farm tactic to distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=imunisasi+bias+pdf
    • http://files.victoriaprather.com/uploads/1/3/2/7/132740214/4841948.pdf
    • http://files.ubcstephenministry.com/uploads/1/3/2/6/132695663/4dc38ce85fb.pdf
    • http://files.stantonacademy.com/uploads/1/3/2/6/132681949/4784992.pdf
    • http://files.fortykes.net/uploads/1/3/1/6/131606984/bilutumuz_tasevapijilem.pdf
    • https://cdn.shopify.com/s/files/1/0430/7599/3764/files/16599401929.pdf
    • https://cdn.shopify.com/s/files/1/0433/6753/0655/files/nivefolidarafeb.pdf
    • https://cdn.shopify.com/s/files/1/0435/9208/9759/files/chuyn_i_file_hnh_nh_sang_online.pdf
    • https://cdn.shopify.com/s/files/1/0434/8015/4269/files/70059796579.pdf
    • https://cdn.shopify.com/s/files/1/0435/6338/4991/files/95003723490.pdf
    • https://cdn.shopify.com/s/files/1/0433/7873/7310/files/43117259374.pdf
    • https://cdn.shopify.com/s/files/1/0435/7577/1304/files/63252614205.pdf
    • https://cdn.shopify.com/s/files/1/0435/7043/0115/files/javascript_game_code.pdf
    • https://cdn.shopify.com/s/files/1/0431/9156/6493/files/bugirotad.pdf
    • https://cdn.shopify.com/s/files/1/0434/3191/9765/files/31626516013.pdf
    • https://cdn.shopify.com/s/files/1/0432/8852/7013/files/75224329929.pdf
    • https://cdn.shopify.com/s/files/1/0428/4504/4892/files/zonejopeliwukepi.pdf
    • https://cdn.shopify.com/s/files/1/0432/4291/3955/files/54126938325.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007667.bin
a1eced44bd55507314aca21401f5c795ef5617ed7a92521ab00f3b96ed8efdb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7667 5136 bytes
font_01_sfnt_off000087c7.bin
e0e23a74267caccf7919ea748976d74cc9884f74210399112333feda28ba365d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87C7 10352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.