Malicious PDF — malware analysis report

Static analysis result for SHA-256 99037ddc4951e73e…

MALICIOUS

PDF

59.6 KB Created: 2020-08-19 08:40:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a16c53d15b17210dd0316547f4a32dbe SHA-1: c6bbea5cf04063a72a86de1235878a60f9431aa4 SHA-256: 99037ddc4951e73ed5cc8c35391669dbd0a1102877140338b54df01a2f4ce8ef
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a mass external link farm, with many links pointing to Shopify domains and one critical link to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'inventory template excel free' and the malicious redirector URL. This suggests a phishing or scam attempt to lure users to malicious sites under the guise of providing a useful document. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=inventory+template+excel+free
    • http://sofesol.tusilifestyle.com/uploads/1/3/0/7/130775519/lexudogizibebo.pdf
    • http://mukoba.murphystreats.ca/uploads/1/3/0/8/130874493/lukerofaxetezi.pdf
    • http://files.jeffcofiretraining.org/uploads/1/3/2/6/132681409/4110604.pdf
    • http://files.busybeeorganize.ca/uploads/1/3/0/9/130969004/gojebifazalomo-maxurapokenoxo.pdf
    • https://cdn.shopify.com/s/files/1/0432/3514/7933/files/definition_of_labour_economics.pdf
    • https://cdn.shopify.com/s/files/1/0431/2875/0234/files/49632562851.pdf
    • https://cdn.shopify.com/s/files/1/0432/2911/8627/files/podepexemuxupinojifo.pdf
    • https://cdn.shopify.com/s/files/1/0431/1423/4017/files/adding_and_subtracting_polynomials_quiz.pdf
    • https://cdn.shopify.com/s/files/1/0427/8085/2383/files/54135686266.pdf
    • https://cdn.shopify.com/s/files/1/0435/4634/5623/files/nanejivisaluwafak.pdf
    • https://cdn.shopify.com/s/files/1/0433/5324/3806/files/workplace_environment_and_ergonomics.pdf
    • https://cdn.shopify.com/s/files/1/0435/9605/4690/files/fuwusovavasokefiwazejasa.pdf
    • https://cdn.shopify.com/s/files/1/0428/9868/6119/files/texas_flange_catalog.pdf
    • https://cdn.shopify.com/s/files/1/0440/6919/1832/files/rajidalofumokax.pdf
    • https://cdn.shopify.com/s/files/1/0432/6142/7867/files/47831808043.pdf
    • https://cdn.shopify.com/s/files/1/0436/4835/2406/files/doloroz.pdf
    • https://cdn.shopify.com/s/files/1/0430/2936/4889/files/john_deer_935.pdf
    • https://cdn.shopify.com/s/files/1/0435/9097/5647/files/business_plan_canvas_francais.pdf
    • https://cdn.shopify.com/s/files/1/0440/6280/2085/files/bisijufimukew.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009ddb.bin
6d32658ea0fdb113d2ab37926b1962eaafc9286b5210b828090b40d5c9b7b37e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9DDB 4888 bytes
font_01_sfnt_off0000ae66.bin
a899dfee6730458a3358342fb8ec48df096530b5851e448e43ab2ec511cd95ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAE66 10604 bytes
font_02_sfnt_off0000d2a8.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD2A8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.