Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a29e8096d186534…

MALICIOUS

PDF

37.8 KB Created: 2020-07-08 12:07:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4de4dab5169be66b17f6f83212adb059 SHA-1: 3004ba76007a794c7aca1fa781994c009770ae3d SHA-256: 4a29e8096d1865342529745f0a4a6d6295362d6ba190e2e97df9e6ec9ab01d99
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to domains associated with link farms and redirectors. The document body text, though partially corrupted, includes the phrase 'Exercises too and not enough pdf' and a URL to a known malicious redirector, suggesting a social engineering lure to drive traffic to malicious sites. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=exercises%20too%20and%20not%20enough%20pdf
    • http://files.lqcolour.com/uploads/1/3/1/0/131070523/madupigajal.pdf
    • http://files.shoggothkinetics.com/uploads/1/3/1/0/131070488/b3f5a60e.pdf
    • http://files.raphaelvillage.org/uploads/1/3/1/3/131381802/578370.pdf
    • http://files.mountainsportandfitness.com/uploads/1/3/0/9/130969242/9e1ac79b58a6.pdf
    • http://files.shodacars.com/uploads/1/3/1/0/131071035/mujig-podasavikuxiro-jolijifajene.pdf
    • http://files.mindscapegallerystl.com/uploads/1/3/2/6/132683111/1329c.pdf
    • http://files.madmanadvertising.com/uploads/1/3/1/4/131453725/sugomelakuvafagep.pdf
    • http://files.sm-art.com.au/uploads/1/3/1/3/131381802/3052092.pdf
    • https://zomizixavap.files.wordpress.com/2020/07/daliw.pdf
    • https://bijetukexer.files.wordpress.com/2020/06/mowakosugaputizab.pdf
    • https://safanam.files.wordpress.com/2020/06/retup.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000054c3.bin
3861838e838c5c60268a9b531168f316161e95111a24f30ed304eb459952c115		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54C3 5292 bytes
font_01_sfnt_off000066bd.bin
89e98a3efe29e4ed48d5cc07815dc7c7d693edc9ba5098dbecfbf6157410155d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66BD 10524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.