Malicious PDF — malware analysis report

Static analysis result for SHA-256 498f57757ab95dbd…

MALICIOUS

PDF

58.8 KB Created: 2020-08-14 10:03:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 87ba3628ff0cf8d18001088aae3b9e5d SHA-1: 82ff65a013d6209797180a654c5ffa4ae61554ad SHA-256: 498f57757ab95dbdb6777aa17f88baefe2f583ea9ebe272235b6e866b43d58f2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, directing users to 'https://ttraff.cc/wb?keyword=dna%20hybridization%20techniques%20pdf'. Additionally, it features a link farm with numerous external PDF links, many hosted on Shopify, suggesting a tactic to manipulate search engine results or distribute malicious content. The document body itself contains garbled text but includes the malicious redirector URL and several benign-looking PDF links, reinforcing the lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=dna%20hybridization%20techniques%20pdf
    • http://files.womansclubofwhiteplains.org/uploads/1/3/1/3/131398374/wejamutezomeputo.pdf
    • http://vegabivin.newharvestfamily.com/uploads/1/3/1/1/131163653/woxoti.pdf
    • http://files.cricketmanpress.com/uploads/1/3/0/7/130776861/fujuvitajosamuruw.pdf
    • http://files.randolphgardenclub.org/uploads/1/3/1/3/131379671/ginufojok_jesowit_pobunogoj_bonudar.pdf
    • http://vojexogis.nagualajunglelodge.com/uploads/1/3/2/7/132741555/2c4b8a5c91a9863.pdf
    • https://cdn.shopify.com/s/files/1/0432/4704/2715/files/linategezosoralajo.pdf
    • https://cdn.shopify.com/s/files/1/0434/5544/7202/files/audacity_2._3._2_manual.pdf
    • https://cdn.shopify.com/s/files/1/0430/8058/1274/files/zipikugifosipitid.pdf
    • https://cdn.shopify.com/s/files/1/0430/4489/6917/files/37128652653.pdf
    • https://cdn.shopify.com/s/files/1/0431/2386/7805/files/71192313929.pdf
    • https://cdn.shopify.com/s/files/1/0435/9333/4952/files/carbonium_ion.pdf
    • https://cdn.shopify.com/s/files/1/0430/3932/6365/files/bosquejos_evangelisticos_de_salvacion_pdf.pdf
    • https://cdn.shopify.com/s/files/1/0430/3175/6957/files/nine_abdominopelvic_regions_and_organs.pdf
    • https://cdn.shopify.com/s/files/1/0430/4571/6129/files/kevulozatumuwuzobadaz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a04b.bin
4316b39cd7de8224760762addf6b627c87485d71b476f4a9aede9273d7e6f887		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA04B 5628 bytes
font_01_sfnt_off0000b371.bin
fe3b4d0535e6aaa93a9d4db112f41edbf0daf7e4f92dd5ed6f4b73e92d4dbcbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB371 13384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.