Malicious PDF — malware analysis report

Static analysis result for SHA-256 84ea67fe5372385b…

MALICIOUS

PDF

45.2 KB Created: 2020-07-29 00:24:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 945625b7701922e892b116df12a0075e SHA-1: 2dc28925aea487567b161f5374e65931d735892c SHA-256: 84ea67fe5372385b1720774b795a47a3bda7a6a8b7c7ef75b87c4d35f2e4be2e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous links, with one heuristic specifically identifying a malicious redirector. The document body, though heavily obfuscated, contains text related to 'field archaeology' and 'pdf', suggesting a lure. The presence of a malicious redirector URL indicates an attempt to lead the user to a harmful site, likely for credential harvesting or further malware delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=field+archaeology+an+introduction+pdf
    • http://files.mistynielsenphotography.com/uploads/1/3/0/8/130813869/e2362b010a.pdf
    • http://files.reva.solutions/uploads/1/3/1/4/131438002/punuxepudogotitofeno.pdf
    • http://files.newtongeorgiadems.org/uploads/1/3/0/7/130775679/zativovel-labosirewi-dorolopav-komujolewef.pdf
    • http://files.astros-oil.com/uploads/1/3/1/3/131382330/newaresap.pdf
    • http://files.bugsweedsmore.com/uploads/1/3/1/3/131380966/diwaxirure.pdf
    • https://cdn.shopify.com/s/files/1/0432/4923/8179/files/52413840709.pdf
    • https://cdn.shopify.com/s/files/1/0431/7301/9808/files/9567252707.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/78682713185.pdf
    • https://cdn.shopify.com/s/files/1/0428/1873/2191/files/gesapadavepuxop.pdf
    • https://cdn.shopify.com/s/files/1/0430/3536/1442/files/kopifujomuwejo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tikifulodu.pdf
    • https://cdn.shopify.com/s/files/1/0437/7811/3690/files/69939561196.pdf
    • https://cdn.shopify.com/s/files/1/0429/2316/3801/files/wamupiwowuwuwutu.pdf
    • https://cdn.shopify.com/s/files/1/0433/2548/9305/files/70243765774.pdf
    • https://cdn.shopify.com/s/files/1/0432/7433/8454/files/46549243278.pdf
    • https://cdn.shopify.com/s/files/1/0429/6038/8252/files/21398967816.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007261.bin
0303cebd16b30bd6f44c188e4eb47c9840ecad86e48cce0d8805bbaac6ebcb93		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7261 5176 bytes
font_01_sfnt_off000083f7.bin
02f99c60f91a7804ac1ac70029350d0617e71b76147571f00ed712d82743e65a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83F7 10372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.