Malicious PDF — malware analysis report

Static analysis result for SHA-256 508b9cf90349a424…

MALICIOUS

PDF

43.1 KB Created: 2020-08-05 08:14:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5e4a82b95b386aff386c7dff4e77df67 SHA-1: ebf2d2466e63cb9d8e3893a28515035d6a41a550 SHA-256: 508b9cf90349a4248713a6987180034937f4d8ba992e5bd7248a11e7bdae5331
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one heuristic identifying a link to known malicious redirector infrastructure. The document body, though partially garbled, contains text related to a book title and a URL that appears to be the same as the malicious redirector. This suggests a phishing or scam attempt using a lure of a downloadable resource.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=practical+aviation+security+2nd+edition+pdf
    • http://files.aroundandbackagain.com/uploads/1/3/0/7/130775228/9301868.pdf
    • http://files.plazacateringboston.com/uploads/1/3/1/1/131164425/leboginojurov.pdf
    • http://files.aliciavilas.com/uploads/1/3/0/9/130969545/0960633a.pdf
    • http://files.psusdhistory.us/uploads/1/3/1/1/131164204/8ccaa3e6d54ee6.pdf
    • https://cdn.shopify.com/s/files/1/0440/3272/1046/files/pikilaseto.pdf
    • https://cdn.shopify.com/s/files/1/0431/4929/5776/files/xudolazobusurusafizoxuw.pdf
    • https://cdn.shopify.com/s/files/1/0432/7515/7670/files/missouri_sample_ballot_2016.pdf
    • https://cdn.shopify.com/s/files/1/0431/5797/9304/files/lidazul.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/banefidofekadozimodomi.pdf
    • https://cdn.shopify.com/s/files/1/0432/0270/7615/files/blank_calendar_may_2020.pdf
    • https://cdn.shopify.com/s/files/1/0428/4959/9651/files/96782926012.pdf
    • https://cdn.shopify.com/s/files/1/0432/1856/7335/files/wugaxozapodonabizulorotik.pdf
    • https://cdn.shopify.com/s/files/1/0432/0532/9064/files/sedoti.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xidab.pdf
    • https://cdn.shopify.com/s/files/1/0428/7060/3932/files/ds2_cheat_engine_item_swap.pdf
    • https://cdn.shopify.com/s/files/1/0432/5166/3012/files/51352055655.pdf
    • https://cdn.shopify.com/s/files/1/0438/7156/8040/files/54874712545.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e40.bin
6ff8ff541d8de375d3c6403c22eca1307b0dfc395c02035348f6be5b826c2377		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E40 5444 bytes
font_01_sfnt_off000070e0.bin
0fe3007a668c4822b21266fe4883a2f9d316cec48984debb2d53fa87f786fc3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70E0 14940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.