Malicious PDF — malware analysis report

Static analysis result for SHA-256 943a01523b363bc9…

MALICIOUS

PDF

42.8 KB Created: 2020-08-05 06:02:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8ad20be7324b08a210e2b293cba1219d SHA-1: 86ef7c608c890c6d39beb4e143f7029813eb3340 SHA-256: 943a01523b363bc9188990b33a8565234468502a87dfa300734b1feb8dfeca41
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a significant number of embedded links, identified by the PDF_SEO_LINK_FARM heuristic. One of these links, https://ttraff.cc/pify?keyword=correspondance+albert+camus+maria+casares+pdf+espa%25C3%25B1ol, is flagged as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting the primary purpose is to lure users to external, potentially malicious, content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=correspondance+albert+camus+maria+casares+pdf+espa%25C3%25B1ol
    • http://files.aecnwa.com/uploads/1/3/0/9/130968942/mujetifefi.pdf
    • http://xogekigow.tlcgardensandcrafts.com/uploads/1/3/2/3/132303382/papuxekatifone_ginekefazul_wovovozoda.pdf
    • http://xoduvuda.kitsuneillustrations.com/uploads/1/3/1/6/131637649/7784417.pdf
    • http://files.poehaku.com/uploads/1/3/1/6/131636745/fad0a787e.pdf
    • https://cdn.shopify.com/s/files/1/0430/0704/9877/files/9400134194.pdf
    • https://cdn.shopify.com/s/files/1/0433/0799/1208/files/nuzijalediwedobove.pdf
    • https://cdn.shopify.com/s/files/1/0429/9600/7065/files/98036672333.pdf
    • https://cdn.shopify.com/s/files/1/0436/3167/3502/files/rigaze.pdf
    • https://cdn.shopify.com/s/files/1/0432/8911/6836/files/34577207797.pdf
    • https://cdn.shopify.com/s/files/1/0431/2553/8980/files/47781203064.pdf
    • https://cdn.shopify.com/s/files/1/0432/8525/0216/files/ketuwalutizetuvadadexis.pdf
    • https://cdn.shopify.com/s/files/1/0433/0536/9758/files/28147336739.pdf
    • https://cdn.shopify.com/s/files/1/0431/7646/0448/files/gadirezukoru.pdf
    • https://cdn.shopify.com/s/files/1/0430/1992/7713/files/42277967427.pdf
    • https://cdn.shopify.com/s/files/1/0430/2327/0042/files/litebuwuxunotitot.pdf
    • https://cdn.shopify.com/s/files/1/0433/1231/6584/files/xoxulop.pdf
    • https://cdn.shopify.com/s/files/1/0451/0262/9016/files/facade_yes_or_no_oracle.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006623.bin
be09839a32930288d176a14204eb68f525d12ae99504a6a73aea2c8ede7a3f06		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6623 5560 bytes
font_01_sfnt_off000078aa.bin
7dee91fe1648f60df172c080f2dea2325136bbcc3430f3ab34ecd20937d6576d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78AA 10252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.