Malicious PDF — malware analysis report

Static analysis result for SHA-256 37bc31d1bb0a8dc4…

MALICIOUS

PDF

46.8 KB Created: 2020-08-19 03:45:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 41a1dfde1f84cb175a88ac42051c57f7 SHA-1: 82c07cbb15b8bc566dfd9c6cb6bc98171ddbcb3a SHA-256: 37bc31d1bb0a8dc473ead39a7665571d1e97853e66681874044da58fac9fc919
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with one specifically pointing to a known malicious redirector. The heuristic firings indicate the document is a malicious redirector and part of a link farm. The presence of numerous Shopify-hosted PDF links suggests an attempt to obscure the malicious destination and potentially leverage SEO tactics for distribution. The document body itself is heavily obfuscated and contains the malicious URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=synonyms+and+antonyms+list+pdf
    • http://tetixu.kriswongbarrie.com/uploads/1/3/1/3/131384401/besarogupevimesa.pdf
    • http://files.ijcmsr.com/uploads/1/3/0/7/130775952/kimen-lijiwujop-poxijugunoguz.pdf
    • http://files.donigianproperties.com/uploads/1/3/0/9/130969633/9722842.pdf
    • https://cdn.shopify.com/s/files/1/0434/6006/7480/files/rutefiletazediximitute.pdf
    • https://cdn.shopify.com/s/files/1/0438/1350/3133/files/rulunar.pdf
    • https://cdn.shopify.com/s/files/1/0451/7868/3541/files/homogeneous_differential_equation_problems_and_solutions.pdf
    • https://cdn.shopify.com/s/files/1/0430/6019/9573/files/12223246372.pdf
    • https://cdn.shopify.com/s/files/1/0432/9121/3988/files/fibeferawitodubibibexaku.pdf
    • https://cdn.shopify.com/s/files/1/0431/5637/3659/files/86712001203.pdf
    • https://cdn.shopify.com/s/files/1/0434/6845/6088/files/anodizing_aluminium_process.pdf
    • https://cdn.shopify.com/s/files/1/0434/3883/3816/files/bestiary_6_pathfinder_download.pdf
    • https://cdn.shopify.com/s/files/1/0452/5889/9617/files/jizotiteniroduderafiwu.pdf
    • https://cdn.shopify.com/s/files/1/0433/2499/7800/files/14703524024.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007a48.bin
f029060c0fea5fc6e562ad6c0e0e6dc0c2c4840d583ea7cccdc6c7fa2f613591		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A48 5296 bytes
font_01_sfnt_off00008c40.bin
2dec1570f4211ac1b7c1bafc86d4cffc6156338ff2ca35355fb29d763192af06		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C40 10020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.