Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b267d848cb05b2b…

MALICIOUS

PDF

37.6 KB Created: 2020-08-23 10:07:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4ec9880d8301ceafaa8a6f755f308df1 SHA-1: 8003cc0de6164d16a5b0bc32cb07d3ec22e41e00 SHA-256: 4b267d848cb05b2b160c696d63e79203d7e2c1f63a866c66679737fed4d8cd4f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, a common tactic for SEO link farms and phishing. One critical heuristic identified a link to a known malicious redirector, 'https://ttraff.cc/pify?keyword=anestesia+local+en+odontologia+libro+pdf', which is likely intended to lead the user to malicious content. The document body, though heavily obfuscated, contains text fragments and URLs that reinforce this lure. The presence of multiple Shopify links suggests an attempt to blend in with legitimate content while distributing the malicious payload.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=anestesia+local+en+odontologia+libro+pdf
    • http://files.carinaripley.com/uploads/1/3/1/0/131070612/2966957.pdf
    • https://cdn.shopify.com/s/files/1/0435/9861/0591/files/crossfire_hurricane_lyrics.pdf
    • https://cdn.shopify.com/s/files/1/0437/6815/2216/files/88692458182.pdf
    • https://cdn.shopify.com/s/files/1/0427/4061/3286/files/76651076431.pdf
    • https://cdn.shopify.com/s/files/1/0433/6877/5841/files/kixemu.pdf
    • https://cdn.shopify.com/s/files/1/0449/1742/4283/files/bazovefopumufatitu.pdf
    • https://cdn.shopify.com/s/files/1/0435/9405/5843/files/viwam.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/fuxojusi.pdf
    • https://cdn.shopify.com/s/files/1/0432/5530/0249/files/negonopefud.pdf
    • https://cdn.shopify.com/s/files/1/0437/7562/3322/files/20963143359.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/46506788711.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000532b.bin
53e2890c48ae7d999c9ddd87e5c4f9949c6f2d75ba0377af30e66db1b823e346		 pdf-font-stream PDF embedded font (sfnt) at offset 0x532B 5452 bytes
font_01_sfnt_off000065bc.bin
3602794832cc735d54fbb7cadeb5d2c98f24100320a77a72c843a9c88f04637d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65BC 10468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.