Malicious PDF — malware analysis report

Static analysis result for SHA-256 81bede0e7dabece7…

MALICIOUS

PDF

44.1 KB Created: 2020-07-24 01:14:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 667bb1707ff138b98c7197a3e72cf582 SHA-1: b02b723fab624165215bffcd24789035b776dfd9 SHA-256: 81bede0e7dabece704c38d811a9d1765001e2f431968fa8ce58f3839b1327aa8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous links to external websites, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, suggests a lure related to 'Greek waters pilot pdf'. The primary malicious IOC is the redirector URL, which likely leads to further malicious content or phishing pages.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=greek%20waters%20pilot%20pdf
    • http://files.yorkstone.ca/uploads/1/3/0/7/130740438/notidi.pdf
    • http://files.bellafurworks.com/uploads/1/3/1/8/131856381/duguvat.pdf
    • http://files.northidahocasa.org/uploads/1/3/2/7/132741198/0e7ca2980.pdf
    • https://cdn.shopify.com/s/files/1/0430/6419/7273/files/85091969301.pdf
    • https://cdn.shopify.com/s/files/1/0432/5320/3102/files/35957224804.pdf
    • https://cdn.shopify.com/s/files/1/0428/2672/7580/files/votexagunogadi.pdf
    • https://cdn.shopify.com/s/files/1/0438/9833/9496/files/bizewapidajivipa.pdf
    • https://cdn.shopify.com/s/files/1/0431/4267/6648/files/39284394211.pdf
    • https://cdn.shopify.com/s/files/1/0431/9304/1053/files/lusowujab.pdf
    • https://cdn.shopify.com/s/files/1/0432/0346/1283/files/82263693762.pdf
    • https://cdn.shopify.com/s/files/1/0431/0066/8065/files/76002678333.pdf
    • https://cdn.shopify.com/s/files/1/0436/6263/9269/files/72644185851.pdf
    • https://cdn.shopify.com/s/files/1/0433/5045/8520/files/70612703728.pdf
    • https://cdn.shopify.com/s/files/1/0435/5653/6471/files/genijunevusugem.pdf
    • https://cdn.shopify.com/s/files/1/0431/6925/1492/files/depenemewugopigojuru.pdf
    • https://cdn.shopify.com/s/files/1/0435/4870/4917/files/58834205315.pdf
    • https://cdn.shopify.com/s/files/1/0431/7220/0608/files/43813459901.pdf
    • https://cdn.shopify.com/s/files/1/0437/7618/0376/files/zujonafesuxuj.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007137.bin
caaf38ae8615fc05de3bc1ba11913feb419d35a677a25f4e6c062291ae9f726d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7137 4904 bytes
font_01_sfnt_off00008214.bin
5e770eda7628a0c623dc0bfdf6ed51c3f2f6621aedaff71d557743c98dfaf655		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8214 9784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.