Malicious PDF — malware analysis report

Static analysis result for SHA-256 81934d263ef19049…

MALICIOUS

PDF

46.4 KB Created: 2020-08-01 06:17:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4f8484411ed4356d78a4e6bfe992cadb SHA-1: a67112155bfb2d6d8293e04ae69246f718288aa4 SHA-256: 81934d263ef19049b1dfd91bca7a4d39e06210a36feb21b67e5c869b52dfc2ee
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a redirector infrastructure. The document body, though heavily obfuscated, contains a URL that appears to be the primary lure. This suggests a phishing attempt designed to redirect users to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=how+many+discord+servers+can+you+join
    • http://files.bobconi.com/uploads/1/3/1/6/131637224/vinibud_robibazibu.pdf
    • http://files.gypsydenboutique.com/uploads/1/3/0/7/130739116/4023380.pdf
    • http://files.laurenboehmlynch.com/uploads/1/3/0/7/130739379/54d45a9bbd402.pdf
    • http://files.bernadettebuote.com/uploads/1/3/0/8/130814283/be088.pdf
    • http://files.annepwert.com/uploads/1/3/0/8/130813592/454a6cd0c.pdf
    • https://cdn.shopify.com/s/files/1/0433/7188/8803/files/2335862204.pdf
    • https://cdn.shopify.com/s/files/1/0434/3486/8897/files/87285824958.pdf
    • https://cdn.shopify.com/s/files/1/0441/4350/9656/files/fi_6130z_driver.pdf
    • https://cdn.shopify.com/s/files/1/0429/8381/7375/files/70703090401.pdf
    • https://cdn.shopify.com/s/files/1/0431/6885/8272/files/94819014306.pdf
    • https://cdn.shopify.com/s/files/1/0432/6300/0734/files/mozozer.pdf
    • https://cdn.shopify.com/s/files/1/0429/2821/0073/files/34270458501.pdf
    • https://cdn.shopify.com/s/files/1/0439/5106/3195/files/16991446018.pdf
    • https://cdn.shopify.com/s/files/1/0437/0654/8377/files/adobe_illustrator_free_trial.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/puneson.pdf
    • https://cdn.shopify.com/s/files/1/0433/7028/3173/files/drake_sword_ds1.pdf
    • https://cdn.shopify.com/s/files/1/0438/1055/4016/files/kedezowejevavafikap.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000076b9.bin
87bcf4261732af2db03b2089f1c82983ad9b6868fcd039452233433457093835		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76B9 5344 bytes
font_01_sfnt_off000088ec.bin
8de7608785205c5d9e6ebb29220379bab0427d3f3e2ef296e6f0c3f09b1ac8a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88EC 10316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.