Malicious PDF — malware analysis report

Static analysis result for SHA-256 3bee64d043e34631…

MALICIOUS

PDF

63.2 KB Created: 2020-09-12 07:26:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8e9b06e5e655fd3db37a45dfcffc2fbe SHA-1: acbbfe6d5de527b90ffab97c4c6a112018386e3c SHA-256: 3bee64d043e3463121689553f304536515acf0b3451aff515f0a22239171bc84
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious Link

The PDF contains multiple embedded URLs, with at least one pointing to known malicious redirector infrastructure. The document body explicitly instructs the user to copy and paste content into a shell context, which, combined with the malicious links, suggests an attempt to trick the user into executing commands or visiting malicious sites to download additional payloads. No scripts were extracted, limiting the analysis of direct execution capabilities.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=linux+set+android_sdk_root
    • http://refur.lindseybarlagthornton.com/uploads/1/3/0/8/130873954/596445.pdf
    • http://refogon.howardinteriordesign.com/uploads/1/3/2/6/132680831/4775223.pdf
    • http://jofogepu.dotshallmark.com/uploads/1/3/2/7/132710624/nukawibigipesoju.pdf
    • https://cdn.shopify.com/s/files/1/0439/1229/8648/files/32541066329.pdf
    • https://cdn.shopify.com/s/files/1/0461/9767/0037/files/23946223729.pdf
    • https://cdn.shopify.com/s/files/1/0439/4346/1032/files/trinity_core_gm_command.pdf
    • https://cdn.shopify.com/s/files/1/0430/1992/7713/files/kevinuwatenaje.pdf
    • https://cdn.shopify.com/s/files/1/0435/2029/5064/files/simplifying_algebraic_fractions_worksheet_ks3.pdf
    • https://cdn.shopify.com/s/files/1/0435/9425/2456/files/zugom.pdf
    • https://cdn.shopify.com/s/files/1/0439/9074/5246/files/portable_chainsaw_milling_guide_attachment.pdf
    • https://cdn.shopify.com/s/files/1/0435/2802/8312/files/zedexu.pdf
    • https://cdn.shopify.com/s/files/1/0428/6958/8124/files/rokirerezobasevoraz.pdf
    • https://cdn.shopify.com/s/files/1/0434/8477/4552/files/92965764657.pdf
    • https://cdn.shopify.com/s/files/1/0463/0321/5778/files/filo_pastry_sheets_carbs.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ae8e.bin
af490a450ac5f32f25252e07d52e2b32ac25dbaaf1b7438dc142e70d0b30e4ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAE8E 4888 bytes
font_01_sfnt_off0000bf51.bin
90bb9444d33b1e722aa6e96144692e95490eb9e7a9757d6d95dd93f909dbd458		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBF51 15764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.