Malicious PDF — malware analysis report

Static analysis result for SHA-256 874fe868abf3d5be…

MALICIOUS

PDF

54.4 KB Created: 2020-08-07 04:02:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 84f2594810ca08da8e950a3a8d6af4b1 SHA-1: f1f7a67333770f0ccf200cedd9b2e4bb7f221671 SHA-256: 874fe868abf3d5be207dd85aa2a6c49476974093c3d45763e2f43ccf20ec6436
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic indicating it's a malicious redirector, linking to a URL that appears to be part of a link farm designed for SEO manipulation. The document body, though heavily obfuscated, contains the same suspicious URL. This suggests the primary goal is to redirect users to potentially malicious content under the guise of a free download.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=pdf+to+word+conversion+free+download+for+ubuntu+14.+04
    • http://files.manchestersummerplayground.com/uploads/1/3/0/7/130774973/8540960.pdf
    • http://files.shirecollies.com/uploads/1/3/1/4/131437236/jurugufav_pusefamujeratet_sujubat.pdf
    • http://files.aplvirtual.org/uploads/1/3/2/6/132682882/f1ad3a43ce.pdf
    • https://cdn.shopify.com/s/files/1/0433/7729/5516/files/honda_hr215_service_manual.pdf
    • https://cdn.shopify.com/s/files/1/0429/2830/8387/files/79647905434.pdf
    • https://cdn.shopify.com/s/files/1/0433/4210/2679/files/english_story_for_class_3.pdf
    • https://cdn.shopify.com/s/files/1/0434/1334/0316/files/63642009733.pdf
    • https://cdn.shopify.com/s/files/1/0433/5498/0505/files/fubiguwoze.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lonub.pdf
    • https://cdn.shopify.com/s/files/1/0435/1148/0472/files/voxufofovuxibutivogitivov.pdf
    • https://cdn.shopify.com/s/files/1/0435/8632/2600/files/bosonalufuritaxugiwo.pdf
    • https://cdn.shopify.com/s/files/1/0429/6019/1641/files/32409102458.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/miveguxuxububepevomozit.pdf
    • https://cdn.shopify.com/s/files/1/0438/4430/5061/files/97013740814.pdf
    • https://cdn.shopify.com/s/files/1/0429/5655/4394/files/8798794469.pdf
    • https://cdn.shopify.com/s/files/1/0431/2891/4074/files/29859826873.pdf
    • https://cdn.shopify.com/s/files/1/0435/9972/4702/files/business_standard_english_epaper_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000090c3.bin
6181a3704565077d069f3a04a7135e61d6738edb085eac826e28f1c118594c5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90C3 5624 bytes
font_01_sfnt_off0000a41a.bin
488fc8df12cd79b07f6b198b508922378e529975b56ddf9c492a144bf7c51f86		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA41A 12356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.