Malicious PDF — malware analysis report

Static analysis result for SHA-256 a28958c15b451ac4…

MALICIOUS

PDF

86.5 KB Created: 2020-08-27 17:21:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 62ce86f98dd391763ffdd7f2e63f76d0 SHA-1: 62020fadd10e6c5df770cdcdc3ae94b2529b8b26 SHA-256: a28958c15b451ac42db85a36514bdfc32d854008841bae592ac3ab1c8444f2b4
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains embedded JavaScript and multiple links, one of which points to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'criticism examples' and the malicious URL. The primary attack vector appears to be social engineering, directing users to a malicious site under the guise of providing requested content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=cluster+criticism+examples
    • http://files.morganelwell.net/uploads/1/3/1/1/131164573/13eb068cdda8.pdf
    • https://cdn.shopify.com/s/files/1/0429/4259/5239/files/despite_in_spite_of_exercises.pdf
    • https://cdn.shopify.com/s/files/1/0428/3318/2886/files/taxibenazidisat.pdf
    • https://cdn.shopify.com/s/files/1/0434/2366/2236/files/action_verbs_worksheets_for_grade_2.pdf
    • https://cdn.shopify.com/s/files/1/0433/7768/8743/files/80431182918.pdf
    • https://cdn.shopify.com/s/files/1/0431/2861/9168/files/jawuvewukowefobaxisebap.pdf
    • https://cdn.shopify.com/s/files/1/0461/6912/9123/files/computer_science_and_information_technology_jobs.pdf
    • https://cdn.shopify.com/s/files/1/0427/4746/1788/files/buvemotorijanebotoxurabax.pdf
    • https://cdn.shopify.com/s/files/1/0437/7211/7141/files/62459073484.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001032f.bin
9f6ae25f2b6b30e8b684292a5b0dc28971d2e5ac525b75bdfb7dc019b514240c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1032F 5052 bytes
font_01_sfnt_off00011443.bin
c0b9b1aaec2920729bcf66148689d8994420ae4b7f404edacf9697abd6505326		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11443 10316 bytes
font_02_sfnt_off00013793.bin
fb09c764af2da29dcd1400a6d7077e59cbae054cb92185a2e15c15daf89e4388		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13793 16176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.