Malicious PDF — malware analysis report

Static analysis result for SHA-256 5909acf95ee55458…

MALICIOUS

PDF

61.0 KB Created: 2020-08-18 17:02:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ffa7dc75aabc546187c44be890214e25 SHA-1: 238ed58cbd6f344a6e75a84a053368b989af7c86 SHA-256: 5909acf95ee554587205a1688d1f0f164934636b5ee6edee44eeb7a5a3b0faac
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a malicious redirector link disguised as information about medication. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' indicates that the embedded URL leads to known malicious infrastructure. Additionally, the 'PDF_SEO_LINK_FARM' heuristic suggests a large number of outbound links, many of which are benign Shopify links, but the primary malicious link is present. The document body contains garbled text but also includes the target URL and some benign-looking PDF filenames, reinforcing the lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=metformin+hydrochloride+prolonged+release+tablets+ip+500mg
    • http://lixip.obxelectricians.com/uploads/1/3/2/3/132302815/xatesol_runusinewixo_jobulomit_bogovuzitafuvum.pdf
    • https://cdn.shopify.com/s/files/1/0430/1540/5725/files/smoke_on_the_water_guitar_chords.pdf
    • https://cdn.shopify.com/s/files/1/0429/3338/7423/files/xbox_one_modding_tool.pdf
    • https://cdn.shopify.com/s/files/1/0436/2603/7411/files/breve_resea_de_la_independencia_de_mexico.pdf
    • https://cdn.shopify.com/s/files/1/0431/1102/2756/files/95996472342.pdf
    • https://cdn.shopify.com/s/files/1/0436/3078/8758/files/46814485477.pdf
    • https://cdn.shopify.com/s/files/1/0436/3422/9406/files/23750067512.pdf
    • https://cdn.shopify.com/s/files/1/0431/7233/1675/files/browser_for_mac.pdf
    • https://cdn.shopify.com/s/files/1/0437/7346/0641/files/dumewufubilosukilu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/kivamusefelozadadazub.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a203.bin
f241e56c8388081d39b57943d59bffbca260d884e46d46db231cce023e0cb844		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA203 5868 bytes
font_01_sfnt_off0000b5d5.bin
6be64aa56598ba4c4ae11894c0a3c2c24a2aaf1fec14d7eeea6515723c6af0a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB5D5 10240 bytes
font_02_sfnt_off0000d8bd.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD8BD 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.