Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f529b51be4ffd5d…

MALICIOUS

PDF

34.6 KB Created: 2020-08-11 18:51:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 641a1081a490f6888f63ecfb5397bdc6 SHA-1: 33fcb3e89a1f492717cef050d3e4bd63ca19aa1b SHA-256: 4f529b51be4ffd5de55e4e32a3ecd8bb8b354c4f1ff9bd5fd8e3609cb5f2164c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm designed to redirect users to malicious infrastructure, specifically to `https://ttraff.com/pify?keyword=pasar+de+pdf+a+word+gratis`. This indicates a phishing or scam attempt, likely using the document content as a lure. The presence of numerous external links, many pointing to Shopify domains, suggests an attempt to obscure the final malicious destination and potentially leverage SEO tactics for distribution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=pasar+de+pdf+a+word+gratis
    • http://files.maplerunfriends.com/uploads/1/3/1/4/131406736/gedim-buberuzepaj-xefajikumovete.pdf
    • http://files.deucescloset.com/uploads/1/3/1/4/131437123/6943fc50f12e968.pdf
    • http://files.sabpermaculturegroup.com/uploads/1/3/0/7/130740530/mifebopejede-daxep-nixoz.pdf
    • http://files.mybhamrealtor.com/uploads/1/3/1/6/131607163/kujemejuwis.pdf
    • https://cdn.shopify.com/s/files/1/0431/1757/6354/files/2685470983.pdf
    • https://cdn.shopify.com/s/files/1/0430/6698/2561/files/20054031615.pdf
    • https://cdn.shopify.com/s/files/1/0430/7759/9383/files/dulce_et_decorum_est_questions.pdf
    • https://cdn.shopify.com/s/files/1/0433/7254/4150/files/vifaludo.pdf
    • https://cdn.shopify.com/s/files/1/0437/6104/1559/files/3708908920.pdf
    • https://cdn.shopify.com/s/files/1/0440/2449/6286/files/pugusesezabiwira.pdf
    • https://cdn.shopify.com/s/files/1/0430/4053/8773/files/vugejidevipemewimet.pdf
    • https://cdn.shopify.com/s/files/1/0433/7631/2471/files/xezakizigu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0127/3758/files/kumavuxosorilufa.pdf
    • https://cdn.shopify.com/s/files/1/0430/4614/2114/files/41423370178.pdf
    • https://cdn.shopify.com/s/files/1/0433/7578/8184/files/38791247501.pdf
    • https://cdn.shopify.com/s/files/1/0438/4414/1218/files/tikilemo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9685/1111/files/mcdougal_littell_geometry.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004aa4.bin
a144e57c4f8bd99a430e7d38e8ce785a06e734e981708ad43598628116496d51		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AA4 5272 bytes
font_01_sfnt_off00005cb1.bin
e33de701cba4dd90e2a3f3d29976035f9409fe1b83436063df1b8722a2fef9db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CB1 9652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.