Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b54e95029211700…

MALICIOUS

PDF

61.4 KB Created: 2020-08-15 13:39:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7981ebbe68baed0e81620349f286ebb4 SHA-1: 12196645c1ae703fde98be128a90def85af24434 SHA-256: 7b54e9502921170069ad443fba8c1492f5f86f85592ea9a4e85fb3e7bb81c0b7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains embedded links, one of which points to a known malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a lure for a 'vegetarian buffet menu pdf'. The presence of numerous external PDF links, many hosted on Shopify, suggests a link farm or SEO manipulation tactic to distribute the malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=vegetarian%20buffet%20menu%20pdf
    • http://tesugur.forstalsiberians.org/uploads/1/3/1/3/131398367/96b4bfe746f120.pdf
    • http://pudoragiz.axismundihealing.com/uploads/1/3/1/1/131164250/4186846.pdf
    • http://files.mykelpie.cz/uploads/1/3/0/8/130873732/820471.pdf
    • http://files.johnjfrederick.com/uploads/1/3/0/7/130776264/78d14dc7f4ba.pdf
    • http://files.suaxc.com/uploads/1/3/0/9/130969179/giwovuguj.pdf
    • https://cdn.shopify.com/s/files/1/0428/8305/5782/files/35090530224.pdf
    • https://cdn.shopify.com/s/files/1/0431/0538/6647/files/bagian_bagian_bunga_dan_fungsinya.pdf
    • https://cdn.shopify.com/s/files/1/0432/6467/1908/files/1974_chevy_truck.pdf
    • https://cdn.shopify.com/s/files/1/0429/8866/7039/files/viligigegememix.pdf
    • https://cdn.shopify.com/s/files/1/0428/8158/1209/files/96100072752.pdf
    • https://cdn.shopify.com/s/files/1/0430/7327/4010/files/45602876667.pdf
    • https://cdn.shopify.com/s/files/1/0433/0094/6073/files/42708417422.pdf
    • https://cdn.shopify.com/s/files/1/0433/1136/6309/files/33645250948.pdf
    • https://cdn.shopify.com/s/files/1/0433/3659/7654/files/fukubalowatoloje.pdf
    • https://cdn.shopify.com/s/files/1/0432/9422/8630/files/wazusorutagatilelotudizi.pdf
    • https://cdn.shopify.com/s/files/1/0434/6891/4838/files/kobevabomejinesuvomutofo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b390.bin
2e339a0bdd4436579d64628d566fd13b6302eb7b762a0bd94a189e8f21b511c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB390 5256 bytes
font_01_sfnt_off0000c558.bin
af16b59e14d10f47a8d135dd61a8650e48f889209a75e44259ff05959563a11c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC558 10308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.