Malicious PDF — malware analysis report

Static analysis result for SHA-256 8d6a72661b077dc5…

MALICIOUS

PDF

38.8 KB Created: 2020-08-15 01:01:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8ad447d2eeb809e62dc0ce52682fa806 SHA-1: 6fc09bc159b6bb0d728bc497dd570f32050dae9d SHA-256: 8d6a72661b077dc5900e85f05b86a679ad002e574619734c91056e32e5c94175
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with one URL pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a lure for a free music score, which is then linked to the malicious redirector. The presence of numerous PDF links, many hosted on Shopify, suggests an attempt to obscure the malicious destination and potentially leverage benign-looking domains for initial distribution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=partitura%20de%20chacarera%20para%20violin%20pdf%20gratis
    • http://deguned.laurendfulter.com/uploads/1/3/2/7/132710712/2523523.pdf
    • https://cdn.shopify.com/s/files/1/0429/2742/3654/files/46123216579.pdf
    • https://cdn.shopify.com/s/files/1/0431/4044/8410/files/auroville_news_and_notes.pdf
    • https://cdn.shopify.com/s/files/1/0427/7954/1671/files/xevusenukasolipejowarep.pdf
    • https://cdn.shopify.com/s/files/1/0437/0602/4101/files/23686047885.pdf
    • https://cdn.shopify.com/s/files/1/0433/9603/8812/files/zalovixoduvovifabupado.pdf
    • https://cdn.shopify.com/s/files/1/0437/1152/9114/files/47910719606.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/binoluso.pdf
    • https://cdn.shopify.com/s/files/1/0432/2210/6271/files/bernard_lewis_middle_east.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000474b.bin
3a88413da5c656d3a0ab8574418e3d00ef651e7bdb099c45adbe1a4b44fab46d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x474B 5360 bytes
font_01_sfnt_off0000597f.bin
746de940a92e41b1bedd5f6a54acf6079bcf09110827a46757169415fb8b6e5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x597F 11312 bytes
font_02_sfnt_off00007e92.bin
ad623bc7c681097dfa1224999cf6cc6072d3ca9a137655dc1129b0261f0b357c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E92 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.