Malicious PDF — malware analysis report

Static analysis result for SHA-256 8297ee06c27c8cbe…

MALICIOUS

PDF

53.7 KB Created: 2020-07-21 10:12:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7a53fd782b6d25d976b6a869ae474e3e SHA-1: c672df7f5e77fb91583dc48997614c00b69ac456 SHA-256: 8297ee06c27c8cbee5750e82c68fc44a475328925c863bae073694bbfce6006b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, with one critical heuristic identifying a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, appears to contain keywords related to free downloads, reinforcing the lure. The primary malicious IOC is the redirector URL, which is likely used to funnel victims to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=pharmacovigilance%20books%20free%20download%20pdf
    • http://files.travelsbynancyteam.com/uploads/1/3/1/4/131454766/7054230.pdf
    • http://files.summitsalesrecruiting.com/uploads/1/3/2/6/132681303/3252394.pdf
    • http://files.edsolutionsofcharlotte.com/uploads/1/3/0/7/130775511/novoxugulemeli.pdf
    • http://files.bsquareddesigns.net/uploads/1/3/1/6/131606201/migitetud_jufevifatupuga_nisadesew_futukiriji.pdf
    • http://files.samikahn.com/uploads/1/3/1/1/131164350/lotutodifewet.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xopiforosolakalaxelavur.pdf
    • https://cdn.shopify.com/s/files/1/0433/8404/5719/files/65657524576.pdf
    • https://cdn.shopify.com/s/files/1/0430/5253/1869/files/32904875368.pdf
    • https://cdn.shopify.com/s/files/1/0433/9888/9621/files/90539646740.pdf
    • https://fuwedibet.files.wordpress.com/2020/06/nibugitegupebifenegusege.pdf
    • https://mowawosubi.files.wordpress.com/2020/06/vurufafude.pdf
    • https://vavokoze.files.wordpress.com/2020/06/vusilakapejoduzetoputijeg.pdf
    • https://cdn.shopify.com/s/files/1/0433/6890/6906/files/zojoso.pdf
    • https://cdn.shopify.com/s/files/1/0428/8924/8924/files/zerop.pdf
    • https://cdn.shopify.com/s/files/1/0431/2930/7296/files/35158047090.pdf
    • https://cdn.shopify.com/s/files/1/0428/1411/1903/files/fekajemaxuf.pdf
    • https://cdn.shopify.com/s/files/1/0430/4722/3458/files/nobegegukete.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/77603652905.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000928b.bin
d98d4aa9d82a59ef4eb8ea6a4c24f988cbb12630d54eac4bcda3c9550b7d43e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x928B 5636 bytes
font_01_sfnt_off0000a58c.bin
56a991c7427c709972ffd6f4bd964cb91db438f1fbed9af2161793213181358d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA58C 10588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.