Malicious PDF — malware analysis report

Static analysis result for SHA-256 433ffab69bf6efd2…

MALICIOUS

PDF

48.9 KB Created: 2020-07-31 09:43:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 78ca206de582d32a3926d7d6362f2df8 SHA-1: cb1b5bad3506daa18c5bca88f8c2661c38ae5634 SHA-256: 433ffab69bf6efd217ce7f1768409d52ddd0452d91d7673daca6b33681a77b6c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with the primary link directing to a known malicious redirector. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' confirms this, and the presence of a 'PDF_SEO_LINK_FARM' suggests an attempt to generate traffic through search engines. The document body, though heavily obfuscated, contains text related to 'Employment card application form pdf', reinforcing the lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=employment+card+application+form+pdf
    • http://files.justintheframe.com/uploads/1/3/1/4/131453250/4191059.pdf
    • http://files.syfhq.com/uploads/1/3/1/4/131438692/4d38d80a3.pdf
    • http://files.connorshillgospelhall.com/uploads/1/3/1/3/131380771/navefuribeduzin.pdf
    • http://files.syfhq.com/uploads/1
    • https://cdn.shopify.com/s/files/1/0431/5742/2229/files/subetuvidijipuzi.pdf
    • https://cdn.shopify.com/s/files/1/0434/7396/1125/files/40198006017.pdf
    • https://cdn.shopify.com/s/files/1/0431/8344/0036/files/85397753372.pdf
    • https://cdn.shopify.com/s/files/1/0433/5042/5750/files/66751380438.pdf
    • https://cdn.shopify.com/s/files/1/0431/5955/2155/files/30267959189.pdf
    • https://cdn.shopify.com/s/files/1/0427/7708/4070/files/73165036353.pdf
    • https://cdn.shopify.com/s/files/1/0434/7104/4770/files/43161062000.pdf
    • https://cdn.shopify.com/s/files/1/0433/0664/7717/files/dirojosogajojozituvelofel.pdf
    • https://cdn.shopify.com/s/files/1/0429/3397/7255/files/87116341641.pdf
    • https://cdn.shopify.com/s/files/1/0429/4773/9811/files/wisigexulumalule.pdf
    • https://cdn.shopify.com/s/files/1/0435/4136/4890/files/luzan.pdf
    • https://cdn.shopify.com/s/files/1/0430/9857/0909/files/pivawuxedulumosuxul.pdf
    • https://cdn.shopify.com/s/files/1/0437/6304/0408/files/94460894816.pdf
    • https://cdn.shopify.com/s/files/1/0433/4357/7256/files/8358850266.pdf
    • https://cdn.shopify.com/s/files/1/0427/6636/8935/files/70899006671.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000792c.bin
f06b837697678c2410df791add87775ca22a8cd08d4ff9738603fb7bef5da32e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x792C 4968 bytes
font_01_sfnt_off000089fb.bin
050c1cad660602834231841c9558f2919366f71e1a68ceda38b72b947e926771		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89FB 14160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.