Malicious PDF — malware analysis report

Static analysis result for SHA-256 8ada99ff353f3850…

MALICIOUS

PDF

48.2 KB Created: 2020-10-11 05:32:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a5c39a763d2a8c2664fcce06cf2b141 SHA-1: 5ded4c085ec0fb45e8e894029c50fe7b24d245dd SHA-256: 8ada99ff353f3850c8f1d488ae9d2e60e03e9e6b5ddca4c5aa18bbc01d006a32
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link that redirects to a known malicious domain, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body text and the embedded URL both reference a 'Ceqa process flow chart', suggesting a social engineering lure. The primary malicious IOC is the redirector URL.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=ceqa+process+flow+chart
    • https://site-1037215.mozfiles.com/files/1037215/dupetoxusevosulozumumorem.pdf
    • https://site-1041082.mozfiles.com/files/1041082/modomewepokujotot.pdf
    • https://site-1043571.mozfiles.com/files/1043571/bikogabogugedamiwemozilax.pdf
    • https://site-1043091.mozfiles.com/files/1043091/sebepodasivawofelireza.pdf
    • https://site-1036644.mozfiles.com/files/1036644/55438713756.pdf
    • https://site-1037086.mozfiles.com/files/1037086/62006211036.pdf
    • https://site-1036628.mozfiles.com/files/1036628/49931924119.pdf
    • https://site-1038868.mozfiles.com/files/1038868/rufijozalerakolodoxomorof.pdf
    • https://uploads.strikinglycdn.com/files/6adecdb6-9947-4dc8-9689-fab85bdefa1a/3174653753.pdf
    • https://uploads.strikinglycdn.com/files/a418097f-3cbf-40ff-ad93-f3d475bcbb26/36295423185.pdf
    • https://uploads.strikinglycdn.com/files/a9ebdf23-cba5-49cc-bc86-0f2bdaf0f9cc/14030025211.pdf
    • https://uploads.strikinglycdn.com/files/d7205ad9-6d68-4628-a86b-faefbf67c0c8/ridibimaximobekalezukutef.pdf
    • https://uploads.strikinglycdn.com/files/09e0a8ed-72b8-444e-9406-d22586cf201a/wawexigowobabeta.pdf
    • https://uploads.strikinglycdn.com/files/97ece77c-588a-4d9e-be04-0936f46f0f8f/pumesekulisarapipariremif.pdf
    • https://uploads.strikinglycdn.com/files/38368f82-a983-403f-8ffc-5aa8a3888d18/71502983309.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://uploads.strikinglycdn.com/files/d7205ad9-6d68-4628-a86b-

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000079e2.bin
2ef4c98b7dfa59bc5af0e28fb9cb26e902bd251e8db0d507d6b9ef1b0d68655d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79E2 5224 bytes
font_01_sfnt_off00008bb6.bin
12ca7511d569c185a1db9922aa4b596a44480708d56093033f6afd74c0daa64f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BB6 11948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.