Malicious PDF — malware analysis report

Static analysis result for SHA-256 95bda99b3c2e2eb2…

MALICIOUS

PDF

37.0 KB Created: 2020-08-17 16:57:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5e8ce1d8d2c012e2a9f8a777677d1af4 SHA-1: 62c21c67e7d3db00792d821b1e7367fde6b3bbdd SHA-256: 95bda99b3c2e2eb20245f95256fb0d90976c0bb9691e1174feec761019fad7c8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded links, with one specifically identified as a malicious redirector: https://ttraff.cc/pify?keyword=costa+group+holdings+annual+report+2018. The document body, though partially corrupted, suggests a lure related to a financial report. The presence of a link farm heuristic further indicates an attempt to distribute malicious links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=costa+group+holdings+annual+report+2018
    • http://files.gunsitters.com/uploads/1/3/1/8/131856352/5913501.pdf
    • http://files.boundlessyogastudio.com/uploads/1/3/0/7/130738998/3121707.pdf
    • http://files.nathanielpicardbusky.com/uploads/1/3/0/8/130814043/jozize.pdf
    • http://files.profneilmehta.com/uploads/1/3/1/4/131406182/budujituwa_tobumivesonibu_zuxagudulano.pdf
    • http://files.cosmicaes.com/uploads/1/3/0/7/130776755/8fad464f7.pdf
    • https://cdn.shopify.com/s/files/1/0429/7742/7609/files/kidigixaput.pdf
    • https://cdn.shopify.com/s/files/1/0439/5152/1947/files/1954501842.pdf
    • https://cdn.shopify.com/s/files/1/0431/1485/6610/files/15613684058.pdf
    • https://cdn.shopify.com/s/files/1/0433/2398/1979/files/zabidugivema.pdf
    • https://cdn.shopify.com/s/files/1/0428/2171/4079/files/12771922678.pdf
    • https://cdn.shopify.com/s/files/1/0435/3140/3423/files/nibalinedemivelelokefuk.pdf
    • https://cdn.shopify.com/s/files/1/0435/5499/6383/files/4._snf_sosyal_bilgiler_test.pdf
    • https://cdn.shopify.com/s/files/1/0432/8921/5129/files/creon_bula.pdf
    • https://cdn.shopify.com/s/files/1/0429/8558/6849/files/vavifidisa.pdf
    • https://cdn.shopify.com/s/files/1/0432/4913/9880/files/fazetuxu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004449.bin
aac172e0c06b5cb06b029eeae76e4cf287a153ab9622a5372c9a31e16dfe27bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4449 5644 bytes
font_01_sfnt_off0000577d.bin
fbf32d8f271d726c67b680d1bf88f36c32b03d552528e2584b424e7e6b534919		 pdf-font-stream PDF embedded font (sfnt) at offset 0x577D 9356 bytes
font_02_sfnt_off00007756.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7756 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.