Malicious PDF — malware analysis report

Static analysis result for SHA-256 80acdb8a62f5542e…

MALICIOUS

PDF

37.5 KB Created: 2020-08-04 23:08:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f06f3fab5b3d0722a55706f5ebeabcb SHA-1: 67d8f67fe0311329c452ae2f42e840c538ea0f51 SHA-256: 80acdb8a62f5542ef758573c8e9e55bbfaca448385b0d9d9702a69e79fe1af03
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with a critical heuristic firing indicating a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL 'https://ttraff.cc/pify?keyword=h100b+pulse+oximeter+pdf', which is the primary indicator of malicious intent. This URL likely leads to a phishing or malware distribution site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=h100b+pulse+oximeter+pdf
    • http://files.darylgove.com/uploads/1/3/1/3/131398036/3ab36.pdf
    • http://files.ecoadvantageinc.com/uploads/1/3/2/7/132712222/sipomuvivusuzise.pdf
    • http://files.simplybalanced3.net/uploads/1/3/1/4/131407469/dapem-nudanirokebar-voputu-gizakoferuk.pdf
    • http://libep.sogo.cc/uploads/1/3/1/8/131858661/luxonimovida_navewosulibozas_wobosumuni.pdf
    • https://cdn.shopify.com/s/files/1/0431/0115/9585/files/princeton_review_lsat_book.pdf
    • https://cdn.shopify.com/s/files/1/0432/6231/2616/files/20512391367.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xuvoba.pdf
    • https://cdn.shopify.com/s/files/1/0430/5272/8474/files/30614788671.pdf
    • https://cdn.shopify.com/s/files/1/0430/5590/6967/files/dikorupukirumamuwepigo.pdf
    • https://cdn.shopify.com/s/files/1/0433/5131/0488/files/wotabere.pdf
    • https://cdn.shopify.com/s/files/1/0433/0133/9304/files/25068736114.pdf
    • https://cdn.shopify.com/s/files/1/0428/5969/2198/files/55746714155.pdf
    • https://cdn.shopify.com/s/files/1/0429/7375/7603/files/19442611220.pdf
    • https://cdn.shopify.com/s/files/1/0434/5721/6678/files/openbsd_vs_freebsd.pdf
    • https://cdn.shopify.com/s/files/1/0434/7245/3797/files/vofibubewuvex.pdf
    • https://cdn.shopify.com/s/files/1/0438/3352/4386/files/lemuwi.pdf
    • https://cdn.shopify.com/s/files/1/0430/7235/6514/files/91087920306.pdf
    • https://cdn.shopify.com/s/files/1/0435/7138/0383/files/bubble_sort_in_c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000052c9.bin
250ca72008390b1fe4fa8295a6ca3f017bfea5dba21d81b8bad76f40d65f624d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52C9 5340 bytes
font_01_sfnt_off000064e0.bin
cc0b26ea6dc95415c6d15199dbe8f1a6e848b4a49488d4f976a43247171fac9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64E0 10608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.