Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d21bc3103af060f…

MALICIOUS

PDF

41.0 KB Created: 2020-07-09 13:34:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 52715589b60357cebbcc15e640910b73 SHA-1: 0bfda241bd29bfa7d40fb7440e2a52397cb43369 SHA-256: 9d21bc3103af060f2323d43cccbb494b8ba32743126701d7651bc2ad683ac44f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, many of which point to domains associated with link farms and redirectors. One critical heuristic identified a link to a known malicious redirector infrastructure. The document body, though heavily obfuscated, contains a URL that appears to be the primary lure. The presence of these links suggests the document is designed to redirect users to malicious sites, likely for phishing or malware distribution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=head%20first%20javascript%202017%20pdf
    • http://files.maketucoastguard.com/uploads/1/3/0/7/130775752/jugevonunofazepabib.pdf
    • http://files.karrathacaravanpark.com.au/uploads/1/3/0/8/130874501/c367936f4.pdf
    • http://files.punchlinemarketing.com/uploads/1/3/2/8/132814674/9196079.pdf
    • http://files.bressefarms.com/uploads/1/3/1/6/131606819/gajugofore-riwovejodedad-lusodo.pdf
    • http://files.europeanmatchracetour.com/uploads/1/3/0/8/130874265/xugita-tamozavigaxuref.pdf
    • http://files.kocanada-usa.com/uploads/1/3/1/4/131437538/zorodoke.pdf
    • https://xotagesison.files.wordpress.com/2020/07/96844161775.pdf
    • https://sosunilavef.files.wordpress.com/2020/06/tusasoposijuretuwivegu.pdf
    • https://linosiw.files.wordpress.com/2020/07/51798656664.pdf
    • https://lobesiguw.files.wordpress.com/2020/07/59415508367.pdf
    • https://likulorasix.files.wordpress.com/2020/07/tunewebezegamop.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/deved.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/kesutuzijakakewinepubad.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/sazofafusogowo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006340.bin
eea441db0e5d22a0c8210ef70b4f81770e2526b5cd0d1f4f6a38235ee99150ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6340 5192 bytes
font_01_sfnt_off0000750e.bin
51a94aa87b53b73e1a0229632748145c52b7d320a52e885e4966b01f7055025f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x750E 10048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.