Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a8ffd4882f8f948…

MALICIOUS

PDF

48.3 KB Created: 2020-08-23 21:28:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5ca2f37de98d88c220f9e618d9d2afac SHA-1: c6a957894b684fde374fb2a891ec35828539f685 SHA-256: 9a8ffd4882f8f948eb3abd7b9eb956ecda0600e54331a8ad59789dd56995ecbb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with one identified as a malicious redirector. The document body, though corrupted, appears to contain references to firewall logs, potentially as a lure. The presence of a link farm suggests an attempt to distribute malicious content or phishing pages. No scripts were extracted, but the heuristic firings strongly indicate a malicious redirection attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=checkpoint+firewall+log+format
    • http://wofimota.cypresspointportal.com/uploads/1/3/1/6/131606349/mekebigakiwufofebuju.pdf
    • http://files.coluxy.com/uploads/1/3/1/6/131607131/burifewafunogawipem.pdf
    • http://jikix.calgarynaturopathicdoctor.org/uploads/1/3/2/7/132710745/1454865.pdf
    • https://cdn.shopify.com/s/files/1/0434/6655/5556/files/leranivipukibosipowezasi.pdf
    • https://cdn.shopify.com/s/files/1/0429/2732/5343/files/zagibikilaguzivazu.pdf
    • https://cdn.shopify.com/s/files/1/0428/7902/5318/files/tigira.pdf
    • https://cdn.shopify.com/s/files/1/0433/7840/9622/files/39380563246.pdf
    • https://cdn.shopify.com/s/files/1/0438/4574/6838/files/15774219063.pdf
    • https://cdn.shopify.com/s/files/1/0428/3141/3404/files/96278276540.pdf
    • https://cdn.shopify.com/s/files/1/0433/5733/9807/files/79530498573.pdf
    • https://cdn.shopify.com/s/files/1/0432/7309/3288/files/17215201258.pdf
    • https://cdn.shopify.com/s/files/1/0462/7618/2165/files/fitted_crib_sheet_bed_bath_and_beyond.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000073eb.bin
e3324246e8ccc7b7d8e007191368fac74368866a98bc52fdd8210ff85261fa35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73EB 5312 bytes
font_01_sfnt_off000085dd.bin
e89b4eb47be6723cc84b42f6b74348a16b3035e93eddc136ddbb4afdc6ffd928		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85DD 14784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.