Malicious PDF — malware analysis report

Static analysis result for SHA-256 4615d80acb04f0a4…

MALICIOUS

PDF

43.1 KB Created: 2020-08-05 08:17:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fea3223099f3096128f613dda846af3a SHA-1: 7743a56bba00e7e0e7196713576757e8198c626a SHA-256: 4615d80acb04f0a4d0f6cb459f52db3db5249d120a4c545fe1454c240d94c608
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=geeklink+thinker+manual+pdf'. Additionally, it exhibits a PDF SEO link farm behavior, embedding numerous external links, many of which host PDF files. The document body is heavily obfuscated and contains embedded URLs, suggesting an attempt to disguise malicious content. The primary attack vector appears to be social engineering via a deceptive link within the PDF.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=geeklink+thinker+manual+pdf
    • http://files.allezmag.co/uploads/1/3/0/7/130775126/kedibonigozet_lolubabemore_gamukemitotaj.pdf
    • http://files.pashaw.org/uploads/1/3/0/7/130775108/87bfd4.pdf
    • http://files.hannkhigg.com/uploads/1/3/0/7/130775220/6304614.pdf
    • http://files.innerlight-center.com/uploads/1/3/1/0/131070051/a44dc6.pdf
    • https://cdn.shopify.com/s/files/1/0435/1832/8991/files/67227476272.pdf
    • https://cdn.shopify.com/s/files/1/0432/0280/5921/files/lanisadewunaduxuxuwabupur.pdf
    • https://cdn.shopify.com/s/files/1/0432/9180/3801/files/que_es_auditoria_externa.pdf
    • https://cdn.shopify.com/s/files/1/0437/7185/5002/files/todatulurowovuwegaten.pdf
    • https://cdn.shopify.com/s/files/1/0437/6897/1418/files/90351313779.pdf
    • https://cdn.shopify.com/s/files/1/0430/1537/2949/files/sagan_bonjour_tristesse.pdf
    • https://cdn.shopify.com/s/files/1/0431/3969/4741/files/oxford_english_thesaurus.pdf
    • https://cdn.shopify.com/s/files/1/0431/5276/9192/files/mtu_it_downloads.pdf
    • https://cdn.shopify.com/s/files/1/0428/2259/8823/files/wuwel.pdf
    • https://cdn.shopify.com/s/files/1/0428/6509/8908/files/bixeloluxudo.pdf
    • https://cdn.shopify.com/s/files/1/0431/2665/3090/files/3508671643.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c34.bin
68dedef32bf2f58ee913b7c1dc50e62a7f1a3a187205cc40347738deccd0eb3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C34 5196 bytes
font_01_sfnt_off00007dbb.bin
8152d7abf36ab7ef713058ee8f6ca1efa60df567799fc72ae361a0d68c06e549		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DBB 9968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.