Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e222a2b9034e506…

MALICIOUS

PDF

53.4 KB Created: 2020-08-06 02:48:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 83c5080b7a68238998990e37dc74604e SHA-1: 3d3722b5fec1cd3fd05f789fe6b1634cd6d8c59d SHA-256: 4e222a2b9034e50655735921191f0bef381953891fb8210bced71264bbf118ec
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector. The document body, though heavily obfuscated, contains a URL that appears to be the primary lure, pointing to a redirector service. This service likely leads to a malicious payload or phishing page.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=blaise+cendrars+pdf+gratuit
    • http://files.asgfitness.com/uploads/1/3/1/8/131856232/laluvaruj-penajugexo.pdf
    • http://files.seattlefirstbaptist.org/uploads/1/3/2/3/132303080/81e42db7c9176.pdf
    • http://files.twamemorybook.com/uploads/1/3/0/8/130874358/fdf26dee5fc23.pdf
    • https://cdn.shopify.com/s/files/1/0429/0176/6310/files/zodewatujokaxusirewawom.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/31056735454.pdf
    • https://cdn.shopify.com/s/files/1/0431/5742/2229/files/convert_to_mov.pdf
    • https://cdn.shopify.com/s/files/1/0434/4587/8950/files/42383970776.pdf
    • https://cdn.shopify.com/s/files/1/0436/6699/7398/files/vawupikusisozomotisitizi.pdf
    • https://cdn.shopify.com/s/files/1/0428/6827/7415/files/waxiwosabofibitewag.pdf
    • https://cdn.shopify.com/s/files/1/0429/8535/7463/files/bodifixef.pdf
    • https://cdn.shopify.com/s/files/1/0432/3491/8558/files/bomelaguzis.pdf
    • https://cdn.shopify.com/s/files/1/0432/8924/7894/files/2611248176.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/76423385748.pdf
    • https://cdn.shopify.com/s/files/1/0431/6728/5410/files/3943922728.pdf
    • https://cdn.shopify.com/s/files/1/0430/7727/1703/files/tamumenipeba.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008da6.bin
e2754e8f0954d26c1e7a0f4e61137e3d845bbfc4164c5947e862c478c2c58652		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DA6 5372 bytes
font_01_sfnt_off00009ffb.bin
153e5b951716d89fe2c3cd31ca4e6921b51e66834ab2b65ddabed3ce568e2068		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9FFB 12564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.