Malicious PDF — malware analysis report

Static analysis result for SHA-256 42a23e49f9bd5553…

MALICIOUS

PDF

39.1 KB Created: 2020-08-13 23:24:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4020b3cd5c5fed7abe7841b9bba4b82d SHA-1: 6a77126020aea7d36e728969acf97fd291d37d07 SHA-256: 42a23e49f9bd5553dedf01292f19dcbbe22ab17e1226ec0ec9b21dbabfbc997c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic indicating it's a malicious redirector, linking to a URL that appears to be a lure for 'commercial driver license manual oklahoma'. The document body, though heavily obfuscated, contains the same URL and keywords. The primary malicious IOC is the redirector URL, which likely leads to further malicious content or phishing attempts.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=commercial%20driver%20license%20manual%20oklahoma
    • http://files.greencrossproject.org/uploads/1/3/0/7/130776158/c28b12b298.pdf
    • http://rategi.secdea-aviation.com/uploads/1/3/1/4/131454024/tekojekijifezij.pdf
    • http://files.harvestcommunityschool.org/uploads/1/3/1/4/131452887/viwuzalukaw.pdf
    • http://milinema.danielstorage.com/uploads/1/3/0/9/130969742/0a22e90a.pdf
    • http://muwum.clearperspectivespublication.org/uploads/1/3/0/8/130813095/vokogewi_piduwesu_livug.pdf
    • https://cdn.shopify.com/s/files/1/0430/7949/9940/files/fepafenupeveti.pdf
    • https://cdn.shopify.com/s/files/1/0435/2465/3224/files/18678233276.pdf
    • https://cdn.shopify.com/s/files/1/0430/9227/9445/files/bakojodiketolatosukotigud.pdf
    • https://cdn.shopify.com/s/files/1/0431/5732/3925/files/xugabopakibubujuwux.pdf
    • https://cdn.shopify.com/s/files/1/0432/1171/8820/files/bavivinobixanetimimiraw.pdf
    • https://cdn.shopify.com/s/files/1/0439/2045/7883/files/byte_of_python_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/4517/4939/files/20505042640.pdf
    • https://cdn.shopify.com/s/files/1/0432/6955/4340/files/early_childhood_development.pdf
    • https://cdn.shopify.com/s/files/1/0438/4984/2850/files/47427281675.pdf
    • https://cdn.shopify.com/s/files/1/0430/8277/6727/files/sakeguvunewewutikalog.pdf
    • https://cdn.shopify.com/s/files/1/0427/5847/1846/files/quoth_the_raven.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ad2.bin
1b497379ca1273aa0250467a55f6a6a56e30c47119c1b198fa393f7a98e6b85e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AD2 5208 bytes
font_01_sfnt_off00006c53.bin
b40d9b6f85443ad939e71de5b2d6314cb17a359459901be88d8d94ad114be13b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C53 10172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.