Malicious PDF — malware analysis report

Static analysis result for SHA-256 48e32c2b6855331e…

MALICIOUS

PDF

42.4 KB Created: 2020-08-05 23:31:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5eeeaf43e1de6a88b8796bb4b76c59e8 SHA-1: 68ed7b676c0a0515a67211be4a1f00a4b59675c3 SHA-256: 48e32c2b6855331eed79cdc14f816d23234936570d715db4d7c1350ad8a1e69f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with one identified as a malicious redirector. The heuristic firings indicate that this PDF is part of a link farm, likely intended for SEO manipulation or to distribute malicious content. No scripts were extracted, but the primary attack pattern involves leveraging the PDF structure to host numerous external links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=adam+s+curse+poem+pdf
    • http://files.mybabybooksa.com/uploads/1/3/1/4/131483138/kabonojoxa.pdf
    • http://files.trustmarkroofing.com/uploads/1/3/1/8/131871814/rasiwebizufosa.pdf
    • http://files.lisanerenberg.com/uploads/1/3/2/8/132816202/xesaxeradin_xunemug_tunuxuwetakarun_jutizizir.pdf
    • https://cdn.shopify.com/s/files/1/0433/1329/9620/files/66705995177.pdf
    • https://cdn.shopify.com/s/files/1/0431/0374/8263/files/15952499178.pdf
    • https://cdn.shopify.com/s/files/1/0435/7039/7339/files/nepetitewawamoweru.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/sexewagufik.pdf
    • https://cdn.shopify.com/s/files/1/0438/0668/7394/files/tinkle_comics_book.pdf
    • https://cdn.shopify.com/s/files/1/0436/9888/0680/files/12839833571.pdf
    • https://cdn.shopify.com/s/files/1/0433/6215/6702/files/78326066182.pdf
    • https://cdn.shopify.com/s/files/1/0436/5592/1822/files/bayesian_bodybuilding_pt_course.pdf
    • https://cdn.shopify.com/s/files/1/0428/7663/3247/files/english_grammar_vocabulary_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0430/7081/6407/files/94756528340.pdf
    • https://cdn.shopify.com/s/files/1/0440/2610/1910/files/fufaboxajov.pdf
    • https://cdn.shopify.com/s/files/1/0433/9377/7827/files/71020390162.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068ec.bin
4de1a0298cfd2a718423aa2f64ee996c1797d14f3423c5d3831fd44c3888d6b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68EC 5260 bytes
font_01_sfnt_off00007ab9.bin
402c2812347c7cd052b66692a5677dd70c4369f77b8c434c65f05c1d3b5ed857		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AB9 10064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.