Malicious PDF — malware analysis report

Static analysis result for SHA-256 91dd60700a4cf62a…

MALICIOUS

PDF

39.9 KB Created: 2020-08-15 22:08:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 46a0afcdeea0502ba60318b2d8ca171c SHA-1: 8b56335599ee926fb98240fe717783d17cc65f9c SHA-256: 91dd60700a4cf62a6f2eb4a44f33e99bd7dcfdb20f4a4ccc98e851f10bad8f1e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains the URL that triggers the malicious redirector. The presence of a link farm heuristic further supports the malicious intent of directing users to potentially harmful content. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=nonlinear%20analysis%20theory%20methods%20&%20applications%20pdf
    • http://files.kaufman-law.com/uploads/1/3/2/6/132681596/3779e1f8.pdf
    • http://files.katemanne.net/uploads/1/3/1/6/131636957/681c66827f78b4a.pdf
    • https://cdn.shopify.com/s/files/1/0429/3050/3846/files/54553985153.pdf
    • https://cdn.shopify.com/s/files/1/0431/3304/2839/files/cv_format_for_civil_engineer.pdf
    • https://cdn.shopify.com/s/files/1/0428/8443/2031/files/wawubakobomaxixog.pdf
    • https://cdn.shopify.com/s/files/1/0431/2255/7082/files/44619235942.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/banefidofekadozimodomi.pdf
    • https://cdn.shopify.com/s/files/1/0431/7731/2405/files/45665410370.pdf
    • https://cdn.shopify.com/s/files/1/0434/6108/3301/files/bliss_point_economics_optional_notes.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lawup.pdf
    • https://cdn.shopify.com/s/files/1/0431/6558/1468/files/nunivubopizitunuvenep.pdf
    • https://cdn.shopify.com/s/files/1/0430/1016/2837/files/vopujonavukilunoto.pdf
    • https://cdn.shopify.com/s/files/1/0433/2758/6472/files/39587905278.pdf
    • https://cdn.shopify.com/s/files/1/0430/4325/8519/files/30630114099.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000048a4.bin
78768405f048ab4db5086261bc4f31a15d9f81985d8afac30075e664a7416017		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48A4 5136 bytes
font_01_sfnt_off000059ee.bin
074619b6962badd7951838a0d28b7f1bed3dee0817b140a60b0718055533a4e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59EE 10972 bytes
font_02_sfnt_off00007d76.bin
ccf879661c26e8d85a43d4fcfbba60320246430dcbf46b047d24072eb45b37a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D76 16132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.