Malicious PDF — malware analysis report

Static analysis result for SHA-256 4be3f655fa817b98…

MALICIOUS

PDF

38.0 KB Created: 2020-08-25 06:29:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8d44143c691b149e998e4fab454a0d75 SHA-1: 2c7a824b3dae1aab0535b6bb9be75bc0cd348561 SHA-256: 4be3f655fa817b98ccd4b811d64f336e7249c663096dd98c2d58535fb232e263
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF document contains a deceptive message prompting an 'upgrade' and includes a link to a known malicious redirector. This redirector is likely used to funnel victims to further malicious content or exploits. The PDF also contains a large number of external links, characteristic of SEO spam or link farms, further indicating a malicious intent to drive traffic.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=upgrade+32+bit+to+64+bit+android
    • http://xubogi.travellingscot.co.uk/uploads/1/3/0/8/130874359/1428536.pdf
    • http://pulujefim.dkgwa.org/uploads/1/3/0/8/130813747/1809009.pdf
    • https://cdn.shopify.com/s/files/1/0431/5942/1092/files/rabugogima.pdf
    • https://cdn.shopify.com/s/files/1/0432/8236/6629/files/45340910475.pdf
    • https://cdn.shopify.com/s/files/1/0430/4021/1105/files/fejumuzimonizeponarabil.pdf
    • https://cdn.shopify.com/s/files/1/0429/2398/3001/files/nosafinug.pdf
    • https://cdn.shopify.com/s/files/1/0429/5933/9679/files/winobefipeterajulemubeti.pdf
    • https://cdn.shopify.com/s/files/1/0437/6710/3645/files/sovirokoteme.pdf
    • https://cdn.shopify.com/s/files/1/0427/9749/8535/files/22541096776.pdf
    • https://cdn.shopify.com/s/files/1/0431/9700/5981/files/53447915115.pdf
    • https://cdn.shopify.com/s/files/1/0428/8364/5599/files/before_you_accuse_me_tab.pdf
    • https://cdn.shopify.com/s/files/1/0433/4783/7083/files/mongodb_aggregate_count_performance.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005725.bin
91c066c25dc01760b366ee3e4045a97e5630c882ebe09b72d6d4f0e169b9a9d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5725 5588 bytes
font_01_sfnt_off00006a32.bin
5038de89017e83f6720332b21063bdbf1d00a979e2c015d9fbe9689bc4e8c343		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A32 9688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.