Malicious PDF — malware analysis report

Static analysis result for SHA-256 99e57fa0d99d065b…

MALICIOUS

PDF

127.2 KB Created: 2020-08-19 10:10:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6fd4ffb540b2c17c6b73928a3e1cfb9f SHA-1: b14b160d68b81aa47d231f94d06a310ab605bf2e SHA-256: 99e57fa0d99d065b307ecb34d83af5781735e4dd326d5ff3fed957137e9515e3
200 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment T1059.003 Windows Command Shell

The PDF contains multiple heuristics indicating malicious intent, including a link to a known malicious redirector and a large number of external PDF links, suggesting a link farm. The document body also contains language typical of advance-fee scams and instructs the user to interact with command-line interfaces, likely to download or execute further payloads. The primary malicious IOC is the redirector URL.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=lotus+1-+2-+3+spreadsheet+file
    • http://rovekax.kienmassage.com/uploads/1/3/1/3/131381533/favugumivog-pexufaziri-lumiwakep-ravaxolusu.pdf
    • http://files.texasdispro.com/uploads/1/3/0/8/130874526/17c27b0b5.pdf
    • http://files.liacorrales.com/uploads/1/3/1/4/131406505/zejetod_poriroradix_novejonufe_renan.pdf
    • http://ruvifojo.lpprom.org/uploads/1/3/1/6/131606490/jawopujizid.pdf
    • http://romefet.sandydex.com/uploads/1/3/0/8/130814328/74d8196420.pdf
    • https://cdn.shopify.com/s/files/1/0434/4669/8146/files/16981198944.pdf
    • https://cdn.shopify.com/s/files/1/0431/4267/6648/files/41239983577.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/rafudegilezenetizaxesuvos.pdf
    • https://cdn.shopify.com/s/files/1/0440/8524/8165/files/vijudufezotejazeze.pdf
    • https://cdn.shopify.com/s/files/1/0435/4228/2394/files/febisosurewoja.pdf
    • https://cdn.shopify.com/s/files/1/0436/9501/4042/files/53478931658.pdf
    • https://cdn.shopify.com/s/files/1/0433/0936/7461/files/lezibumadokegebumipu.pdf
    • https://cdn.shopify.com/s/files/1/0427/5827/5238/files/25541868600.pdf
    • https://cdn.shopify.com/s/files/1/0429/1382/4927/files/rukalenalorogakoka.pdf
    • https://cdn.shopify.com/s/files/1/0436/2931/4206/files/management_information_systems_moving_business_forward_free.pdf
    • https://cdn.shopify.com/s/files/1/0432/2174/5823/files/calligraphy_practice_book_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0429/9702/2879/files/analysis_of_sorting_algorithms.pdf
    • https://cdn.shopify.com/s/files/1/0434/7556/6752/files/ct_bill_of_sale.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001707f.bin
adfd42a941daa48e4dffd1b42063de24be1cd1787071886ef73508caf393369c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1707F 17732 bytes
font_01_sfnt_off0001a9ab.bin
d51bd1b577e2794359c9b0a4c5be53cc02b2d6321b678bd141af7502789e0fb9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A9AB 5452 bytes
font_02_sfnt_off0001bc38.bin
8b1bdc5a4e9d71c03cbef7f1d458c735c10ffe7ec2a221644a96ce77de69cb14		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BC38 16044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.