Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f7a176f9f290346…

MALICIOUS

PDF

42.2 KB Created: 2020-08-07 00:02:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 695db68b1b4f3d4a69bb19c49c7b644d SHA-1: b0efba5e9e7e3fe76408593b8ecd1b8b0526c7b7 SHA-256: 4f7a176f9f2903469a54fc99ba18a3be6c2a6e763ccecc3684e69f89738d0591
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains text related to a 'Budapest public transportation map pdf' and a URL pointing to a redirector. This suggests the document's primary purpose is to redirect users to malicious sites, likely for phishing or malware delivery. No scripts were extracted, and the family is unknown due to the lack of specific indicators.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=budapest+public+transportation+map+pdf
    • http://votejo.theorlandorealtor.com/uploads/1/3/0/7/130775432/vinija.pdf
    • http://files.nswier.org/uploads/1/3/1/4/131483371/6ffc38f246904.pdf
    • http://files.greengardensevents.com/uploads/1/3/1/4/131406605/9832932.pdf
    • http://files.cockerspanielclubofga.net/uploads/1/3/0/7/130740196/medijebutitovat-gujob-kexetam.pdf
    • https://cdn.shopify.com/s/files/1/0433/0323/9835/files/varagexemipu.pdf
    • https://cdn.shopify.com/s/files/1/0432/1984/5278/files/15088961682.pdf
    • https://cdn.shopify.com/s/files/1/0448/9786/1787/files/hindu_girl_name_list_download.pdf
    • https://cdn.shopify.com/s/files/1/0437/2883/0625/files/47855582290.pdf
    • https://cdn.shopify.com/s/files/1/0432/6952/1568/files/prelude_cello_suite_bwv_1007_for_guitar.pdf
    • https://cdn.shopify.com/s/files/1/0430/1471/7597/files/31877967098.pdf
    • https://cdn.shopify.com/s/files/1/0446/9896/0026/files/solidworks_2014_part_i_basic_tools.pdf
    • https://cdn.shopify.com/s/files/1/0428/6893/2767/files/trustworthiness_in_research.pdf
    • https://cdn.shopify.com/s/files/1/0441/1670/5432/files/modosujubizejonugowifibob.pdf
    • https://cdn.shopify.com/s/files/1/0432/4950/0328/files/32179767282.pdf
    • https://cdn.shopify.com/s/files/1/0427/4854/3142/files/ratajegoxoru.pdf
    • https://cdn.shopify.com/s/files/1/0437/1755/8426/files/attestation_d_hbergement_parent.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000661f.bin
28c275ec499542a70a5da06ae0612d82a8b8d96a74ce25b51c3e28d8dc6fff2b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x661F 5492 bytes
font_01_sfnt_off000078b4.bin
5d0ff9f84439de7e84e6c86c4f958ee1655e5a9038e1c84f76a9e2310271de26		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78B4 10256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.