Malicious PDF — malware analysis report

Static analysis result for SHA-256 7fe5ab7bc9f5bd75…

MALICIOUS

PDF

42.6 KB Created: 2020-08-07 06:02:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8ef9c93457ef9754c819be5c762697c6 SHA-1: 7c754870ca4e75b95ad3c035d2327c968f8e0702 SHA-256: 7fe5ab7bc9f5bd75d8994becab8d726112c82c9ef607d010c90e2c1bb86f7cbc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to a worksheet and the malicious URL itself. This suggests a social engineering attack aiming to lure users to a compromised site. The presence of many external PDF links, including the primary malicious one, indicates a link farm or redirection strategy.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=present+perfect+already+yet+worksheet+pdf
    • http://files.aerospades.com/uploads/1/3/0/7/130738614/xifizire.pdf
    • http://files.nhpa.org/uploads/1/3/1/1/131164081/78de81a9f797.pdf
    • http://files.willdean.ca/uploads/1/3/0/9/130969148/16f8a4.pdf
    • http://files.woodsidefarmalpacastore.com/uploads/1/3/1/4/131452861/6cbb6.pdf
    • https://cdn.shopify.com/s/files/1/0435/2750/4024/files/61367537210.pdf
    • https://cdn.shopify.com/s/files/1/0428/8082/7558/files/78111140895.pdf
    • https://cdn.shopify.com/s/files/1/0433/4888/5662/files/4426853105.pdf
    • https://cdn.shopify.com/s/files/1/0437/7218/2685/files/google_home_mac_address.pdf
    • https://cdn.shopify.com/s/files/1/0437/5894/4405/files/gominosezurago.pdf
    • https://cdn.shopify.com/s/files/1/0432/3845/7501/files/monilijaxasewuda.pdf
    • https://cdn.shopify.com/s/files/1/0432/5978/9472/files/dowupo.pdf
    • https://cdn.shopify.com/s/files/1/0440/2121/9493/files/62112831441.pdf
    • https://cdn.shopify.com/s/files/1/0434/1678/0956/files/bloat_in_cattle.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/20659662050.pdf
    • https://cdn.shopify.com/s/files/1/0434/2562/8316/files/how_greenhouse_gases_cause_global_warming.pdf
    • https://cdn.shopify.com/s/files/1/0436/4930/2693/files/sebijazaxojeso.pdf
    • https://cdn.shopify.com/s/files/1/0433/0127/3758/files/ranibanoguwamadorizufob.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000658e.bin
7838f4e34e42d9890e9208e2ef620af6098062f767559104c9f73a6552a41df9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x658E 5504 bytes
font_01_sfnt_off00007853.bin
bc49087be61a4a4947bbc63c8ede416ad5e8da025d3661b85230b6ce66d687e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7853 10796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.