Malicious PDF — malware analysis report

Static analysis result for SHA-256 99203eb22e22cc01…

MALICIOUS

PDF

57.1 KB Created: 2020-08-04 01:43:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 88b3c2d648d013ec2852e1711b218a20 SHA-1: 03bcd94435b60c31b6402d592a6250d574571fe1 SHA-256: 99203eb22e22cc01187bef86b8beed25f02fda5836b9a8ba7b501b4951296fea
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with one specifically pointing to a known malicious redirector. The document body is heavily obfuscated and appears to be generated by wkhtmltopdf, suggesting it's not intended for human consumption but rather for link farming or redirection. The primary attack pattern involves leveraging these links to direct users to potentially harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=measure+of+skewness+and+kurtosis+pdf
    • http://files.davidowenbooks.com/uploads/1/3/1/3/131379530/berukaxilurun.pdf
    • http://files.resources.norledgemaths.com/uploads/1/3/2/7/132712483/zosoxabosalunok.pdf
    • http://files.natsportsmed.com/uploads/1/3/1/4/131437969/vagimadik.pdf
    • http://files.bakedbyromanos.co.uk/uploads/1/3/1/3/131381374/nogidugikavowujez.pdf
    • http://files.magicfoxproducts.com/uploads/1/3/0/9/130969478/822fd6bc12a8.pdf
    • https://cdn.shopify.com/s/files/1/0434/6213/1869/files/95018051146.pdf
    • https://cdn.shopify.com/s/files/1/0433/0058/5636/files/50134014967.pdf
    • https://cdn.shopify.com/s/files/1/0434/2707/0104/files/human_biology_mader_14th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0436/1040/7069/files/applying_pesticides_correctly_florida.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/nasodidupafulad.pdf
    • https://cdn.shopify.com/s/files/1/0432/2020/5726/files/85333609266.pdf
    • https://cdn.shopify.com/s/files/1/0437/3492/5463/files/32397062898.pdf
    • https://cdn.shopify.com/s/files/1/0435/8055/5419/files/bupidunokasugawanofuvo.pdf
    • https://cdn.shopify.com/s/files/1/0432/0909/7384/files/xesabubotaj.pdf
    • https://cdn.shopify.com/s/files/1/0432/0886/8001/files/kikagoreseg.pdf
    • https://cdn.shopify.com/s/files/1/0430/4109/5834/files/xabaloxarigateninajuno.pdf
    • https://cdn.shopify.com/s/files/1/0437/7070/8125/files/cambios_psicologicos_en_los_adolescentes.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009626.bin
3942d894abee8f8d02cdd73d247a31b52a73766ca4aab7ef1791993ff1b3fd33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9626 5164 bytes
font_01_sfnt_off0000a7e8.bin
3bec9d618fa3764c325961568da8c90eccc6f4b568239125e7ccd62861874f13		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA7E8 14560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.