Malicious PDF — malware analysis report

Static analysis result for SHA-256 5a20150c4beec554…

MALICIOUS

PDF

68.4 KB Created: 2020-08-22 07:00:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4e12719e4cd95c920a997eaee2ee10f8 SHA-1: 60f92abed6ec11ea87a14c705d09fb5db13fa541 SHA-256: 5a20150c4beec5543f58514021be322b7b127713aa0aa5bb1e9b96795832ac0b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic identifying a malicious redirector. The document body, though partially corrupted, includes the primary malicious URL, suggesting a phishing or scam attempt. The presence of a link farm heuristic further indicates an attempt to distribute malicious content or manipulate search engine results.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=how+to+use+cuneiform+in+a+sentence
    • http://files.frunkpuppyshop.com/uploads/1/3/1/6/131607027/silupit-bavedo-nikezilizof.pdf
    • http://files.zenbeautyspa.com.au/uploads/1/3/2/8/132815968/bitebufik_votasuvakamal_bugokolepibur.pdf
    • http://dubezosu.skadoodlesboutique.com/uploads/1/3/2/7/132740585/3131511.pdf
    • http://files.thesoftandwild.com/uploads/1/3/0/7/130776769/4187543.pdf
    • https://cdn.shopify.com/s/files/1/0432/5244/9435/files/82449718267.pdf
    • https://cdn.shopify.com/s/files/1/0430/3477/1610/files/5ghz_channel_width.pdf
    • https://cdn.shopify.com/s/files/1/0432/7853/2758/files/human_body_parts_name_with_picture_in_gujarati.pdf
    • https://cdn.shopify.com/s/files/1/0429/3243/7158/files/bebubefugudotuzufen.pdf
    • https://cdn.shopify.com/s/files/1/0435/5765/0584/files/82120591237.pdf
    • https://cdn.shopify.com/s/files/1/0429/9050/2042/files/femalonogela.pdf
    • https://cdn.shopify.com/s/files/1/0429/3492/7513/files/57511678406.pdf
    • https://cdn.shopify.com/s/files/1/0435/3346/7808/files/functional_training_programs.pdf
    • https://cdn.shopify.com/s/files/1/0445/5736/9503/files/pitapeniraxigisu.pdf
    • https://cdn.shopify.com/s/files/1/0434/8297/2326/files/noxifutupuvosumij.pdf
    • https://cdn.shopify.com/s/files/1/0432/2682/4863/files/sesizidalepuvipazajoti.pdf
    • https://cdn.shopify.com/s/files/1/0438/5341/4565/files/nagikawugijosunubo.pdf
    • https://cdn.shopify.com/s/files/1/0434/4794/3330/files/audit_report_format_for_fy_2020_19.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cf74.bin
8b5f4bcc7eaec4cbec365267e07d3e26d7c0c97a09a70c0d361fb5221cc27b32		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF74 5048 bytes
font_01_sfnt_off0000e092.bin
a929d935f589b37c9dcbb3ccd3876efd5c343ea86e12f1e0455a973a03521a74		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE092 10456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.