Malicious PDF — malware analysis report

Static analysis result for SHA-256 5844e2100d3a230d…

MALICIOUS

PDF

46.9 KB Created: 2020-08-12 05:56:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9353cb8f4e2659856fe2e5f2fbd5974f SHA-1: e763252bfa0730a1354333896e34c7cd7a29f99a SHA-256: 5844e2100d3a230dc729fa6c9841c388583a09687cacb9594bfeacda3f3443e4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm and a specific malicious redirector URL, suggesting a phishing or scam attempt. The document body, though partially corrupted, includes text related to 'treatment for anxiety disorder pdf' and the malicious URL, reinforcing the lure. The presence of numerous external PDF links, many hosted on Shopify, indicates a likely attempt to distribute malicious content or redirect users to harmful sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=treatment%20for%20anxiety%20disorder%20pdf
    • http://files.svstorm.com/uploads/1/3/0/9/130969061/jikag.pdf
    • http://files.hartfordaoh.com/uploads/1/3/2/7/132710697/kikobijezomodav.pdf
    • http://files.bonplan-pinel.com/uploads/1/3/1/4/131437423/zavurubegix-kevekepuxasanaw.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/89186344985.pdf
    • https://cdn.shopify.com/s/files/1/0433/9400/7201/files/wotakirafekaluvemube.pdf
    • https://cdn.shopify.com/s/files/1/0430/5725/0455/files/free_dc_comics.pdf
    • https://cdn.shopify.com/s/files/1/0437/3463/0554/files/equivalent_ratios_word_problems.pdf
    • https://cdn.shopify.com/s/files/1/0439/1347/8312/files/42803350116.pdf
    • https://cdn.shopify.com/s/files/1/0432/0991/6576/files/que_es_epistemologia.pdf
    • https://cdn.shopify.com/s/files/1/0433/9286/0327/files/john_milton_samson_agonistes.pdf
    • https://cdn.shopify.com/s/files/1/0432/5824/9376/files/57191948586.pdf
    • https://cdn.shopify.com/s/files/1/0429/6350/1222/files/8739161331.pdf
    • https://cdn.shopify.com/s/files/1/0428/3056/1436/files/jedoxus.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/1261535930.pdf
    • https://cdn.shopify.com/s/files/1/0430/0704/9877/files/fixixanamazorodibax.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000078d3.bin
affd514c21086016f7c62db95efb0d7d9600a8023612a37e02486e461b609552		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78D3 5272 bytes
font_01_sfnt_off00008abb.bin
66d78f6b9bd734cd38b7cb68c875bb3cf8b67707b8fd70b8fb3881333189e315		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8ABB 10516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.