Malicious PDF — malware analysis report

Static analysis result for SHA-256 80d7ac7febdad704…

MALICIOUS

PDF

43.9 KB Created: 2020-08-30 15:58:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 674694559e46c86f42a9f8075eac96e5 SHA-1: 1afd850d7cba5fe44039d472318f23870eeae6e4 SHA-256: 80d7ac7febdad704fd536a525b6052a6ff675c8e102978f4bb1703ff544858ad
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one identified as a malicious redirector. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external PDF links, suggesting an attempt to manipulate search engine results or distribute malicious content. The presence of the malicious redirector URL points towards a phishing or malware distribution attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=me+acercare+al+altar+de+dios+pdf
    • https://cdn.shopify.com/s/files/1/0431/1334/9273/files/the_book_of_mormon_musical_free.pdf
    • https://cdn.shopify.com/s/files/1/0432/3927/6699/files/unisa_payment_methods.pdf
    • https://cdn.shopify.com/s/files/1/0434/9159/0308/files/seditewagoxi.pdf
    • https://static.usrfiles.com/ugd/b8c837_335e42b09e474ea6aae944e6a41eac6f.pdf
    • https://static.usrfiles.com/ugd/2f3ac6_48126c05d5b64cfc9ae74cfb2b80b527.pdf
    • https://static.usrfiles.com/ugd/e1c37d_c691793541bd434e942e927f692039ca.pdf
    • https://static.usrfiles.com/ugd/0aab01_e5b4fddb90554947a9335672ae831e97.pdf
    • https://static.usrfiles.com/ugd/48d9a1_3a8b324e212b4b69900906cd5c29b3a5.pdf
    • https://cdn.shopify.com/s/files/1/0466/8008/0549/files/tapabupun.pdf
    • https://cdn.shopify.com/s/files/1/0428/0814/8127/files/15344997153.pdf
    • https://cdn.shopify.com/s/files/1/0427/7387/2807/files/apache_spark_quick_start_guide.pdf
    • https://cdn.shopify.com/s/files/1/0432/4101/3412/files/98538778309.pdf
    • https://cdn.shopify.com/s/files/1/0432/6277/1358/files/619321312.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006976.bin
430017a0ed170dd7439937012e39c7589a8c3d2b90f32c20f2fe82d683e74eea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6976 5156 bytes
font_01_sfnt_off00007b14.bin
c26ad63795f23ea58889de08cc753c221081f23a13f78b900b82c6c1fd4986c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B14 11732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.