Malicious PDF — malware analysis report

Static analysis result for SHA-256 42cb3e295eea93f8…

MALICIOUS

PDF

43.0 KB Created: 2020-08-06 15:33:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4ca81d2cad87cc6dc951c89e7f61f42c SHA-1: 849dd2ee6fc14bcd5bc72f400d1fec7fafb60f6a SHA-256: 42cb3e295eea93f8629c2ce0d5ce3d3594bced89640f909ee04e24305684f72a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to a redirector service. The document body, though partially corrupted, contains text that suggests a lure for a free PDF download, specifically mentioning 'Cazadora de hadas pdf gratis'. The primary malicious IOC is the redirector URL, which likely leads to further malicious content. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms the malicious nature of the redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=cazadora+de+hadas+pdf+gratis
    • http://files.vintageglamper.com/uploads/1/3/0/7/130776027/4895771.pdf
    • http://files.cashatmservices.com/uploads/1/3/1/4/131413485/rejer_jabaril_zebegokurob_nexenubegip.pdf
    • http://files.victorialrudolph.com/uploads/1/3/2/7/132712154/mipalova.pdf
    • https://cdn.shopify.com/s/files/1/0427/9736/7452/files/piramide_alimenticia_para_nios_de_primaria.pdf
    • https://cdn.shopify.com/s/files/1/0430/3867/1010/files/korevujox.pdf
    • https://cdn.shopify.com/s/files/1/0437/7070/8125/files/bullworker_workout.pdf
    • https://cdn.shopify.com/s/files/1/0432/5805/2763/files/1358941880.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/68769425665.pdf
    • https://cdn.shopify.com/s/files/1/0437/7097/0274/files/53860429113.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xidab.pdf
    • https://cdn.shopify.com/s/files/1/0434/2225/3208/files/angina_de_pecho_unam.pdf
    • https://cdn.shopify.com/s/files/1/0432/9360/6046/files/paduxop.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/24863128440.pdf
    • https://cdn.shopify.com/s/files/1/0434/3375/4773/files/japanese_iptv_m3u.pdf
    • https://cdn.shopify.com/s/files/1/0432/0935/9520/files/remox.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a8c.bin
85708bdd2121e560f137a8159d014802333a03d6d85a3720518a38ea9f49c218		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A8C 5028 bytes
font_01_sfnt_off00006bcd.bin
dbfb9273620df7dc40cd50230163f3e1a9506ff39a2c64e3381a076d97f93f6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BCD 11068 bytes
font_02_sfnt_off00008fb2.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8FB2 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.