Malicious PDF — malware analysis report

Static analysis result for SHA-256 53388c927fbb05d9…

MALICIOUS

PDF

111.7 KB Created: 2020-08-11 17:08:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 698aa998959d3fb7b060afd7f940366a SHA-1: e8bcff0975cebc3dcf3426aa913a729ebc71fff2 SHA-256: 53388c927fbb05d94455ed311e1f3bbc546c7fe042445dd32c7a77ba9f086782
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm and a specific redirector URL, indicating a phishing or malicious redirection attempt. The document body, though heavily obfuscated, contains the redirector URL, suggesting the primary goal is to lure the user to click this link. The presence of multiple external PDF links points towards a link farm strategy to potentially improve SEO or distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=constitucion+asambleas+de+dios+mexico+2020+pdf
    • http://files.kahntilesupply.com/uploads/1/3/0/7/130776590/tasorusiwo.pdf
    • http://files.notsuchsecretlife.com/uploads/1/3/1/4/131407552/tizolimemul.pdf
    • http://files.recbarlouisville.com/uploads/1/3/1/4/131452811/wuwojubegenoko-welajokiwuwofis-xofobedulu.pdf
    • http://files.davidemmons.net/uploads/1/3/1/8/131856723/mimerelanarunak.pdf
    • https://cdn.shopify.com/s/files/1/0431/1947/6896/files/gumexezekuwa.pdf
    • https://cdn.shopify.com/s/files/1/0430/9850/5377/files/xatuzuje.pdf
    • https://cdn.shopify.com/s/files/1/0431/5090/1402/files/81101153462.pdf
    • https://cdn.shopify.com/s/files/1/0433/8683/0998/files/varulepomelanetinaxu.pdf
    • https://cdn.shopify.com/s/files/1/0430/2936/4889/files/90843109352.pdf
    • https://cdn.shopify.com/s/files/1/0440/8947/5237/files/4336329383.pdf
    • https://cdn.shopify.com/s/files/1/0437/1090/6518/files/sopifa.pdf
    • https://cdn.shopify.com/s/files/1/0427/6014/3014/files/50521434986.pdf
    • https://cdn.shopify.com/s/files/1/0434/9889/7574/files/xoditaxuvegog.pdf
    • https://cdn.shopify.com/s/files/1/0434/4581/3413/files/83500160870.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/92313200312.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0440/8947/5237/files/4336329383.pd

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000175cd.bin
dcea18aad15e7bfa339c2639f1d9e84cf3aacb11d09866dfd7ca07ebebd50528		 pdf-font-stream PDF embedded font (sfnt) at offset 0x175CD 5592 bytes
font_01_sfnt_off000188c0.bin
966d4f37709c9dca580b27ecfae875e325e187fa15183f84fd09ca0801c561aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x188C0 12128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.