Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3b0279aad94dae9…

MALICIOUS

PDF

115.8 KB Created: 2020-08-05 04:01:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 548e82851b322212cbcf0dad31861a70 SHA-1: 2ae29505b19bb1538aa6b0aff6908bf7986f1273 SHA-256: a3b0279aad94dae93d7e9f4037017d4d2e276c8fdccd265d3019e9329adc7880
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to appear as search results for sheet music, but the primary link redirects to a known malicious infrastructure. This suggests a social engineering tactic to trick users into downloading potentially malicious content. The PDF itself is generated by wkhtmltopdf, indicating it's likely a delivery vehicle for the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=beethoven+piano+sheet+music+pdf
    • http://files.vocabsupport.com/uploads/1/3/1/3/131381103/8177693.pdf
    • http://files.fabfactoryaz.com/uploads/1/3/2/7/132740186/livanineku-nogafabore-jasudolig.pdf
    • http://files.shadhickmanrhs.com/uploads/1/3/0/9/130969634/427449.pdf
    • http://files.mateusbistro.ca/uploads/1/3/2/6/132681295/mopavuvuwesonu-dulikixafegiwev.pdf
    • https://cdn.shopify.com/s/files/1/0431/0417/4233/files/wuperimutet.pdf
    • https://cdn.shopify.com/s/files/1/0429/0733/6857/files/fofupekejaki.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/52325197595.pdf
    • https://cdn.shopify.com/s/files/1/0435/5624/1557/files/tupudozesunujo.pdf
    • https://cdn.shopify.com/s/files/1/0437/7110/1338/files/41575706707.pdf
    • https://cdn.shopify.com/s/files/1/0429/9299/2410/files/nibadujapisiloz.pdf
    • https://cdn.shopify.com/s/files/1/0432/2790/6206/files/woridelanekifos.pdf
    • https://cdn.shopify.com/s/files/1/0435/8035/8815/files/23768252311.pdf
    • https://cdn.shopify.com/s/files/1/0431/7216/7841/files/44838919385.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/totavari.pdf
    • https://cdn.shopify.com/s/files/1/0434/0059/3557/files/circle_theorems_class_9.pdf
    • https://cdn.shopify.com/s/files/1/0438/2579/1133/files/ed_rosenthal_books.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_008_off0000d9da.bin
9321d59955f94e049fc858440028a8d7f63a0a119d5730688794f20ce107c40b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD9DA 3212 bytes
stream_015_off000170ec.bin
af5c0a500329998a0c18509dd473f6ec456a50fbd7cdb6397e1b55715358ca24		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x170EC 23332 bytes
font_00_sfnt_off00007eda.bin
3d696ec4c9075b1f49bccc234398d31bd7725b00c8da220e55345c63ec8c5479		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EDA 10216 bytes
font_01_sfnt_off000098ef.bin
b5272a26be479b22dd772dc1cf85babb5622c18e56657dbdffeb55a73bbc9137		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98EF 4096 bytes
font_02_sfnt_off0000a785.bin
66b97e99456f90f1146b075e15fe7fc47ae456998075acb76d3a9092d20fc1a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA785 5376 bytes
font_03_sfnt_off0000b9b2.bin
c8ca28f316cc44d6c2cc3125ef320dc6e5e708baa8df0f7962e0759105c93691		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB9B2 3804 bytes
font_04_sfnt_off0000c750.bin
d6f05fe9840196c1ae268fd92585e273104664b0a48c3c0a963da12590c38287		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC750 5788 bytes
font_06_sfnt_off0000e668.bin
74188048f66cea2ab9e79b0060f1b22d7f6a166a725fba916c8a899a3527bc17		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE668 4348 bytes
font_07_sfnt_off0000f651.bin
b2022d63ba3dd0e12777f6d64f3d75c8d429e0b3cabef4c17feb4c8e3a24a3e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF651 3512 bytes
font_08_sfnt_off00010446.bin
efa7df6e67ba32301346f2fd0dfe89fb17b3864163e7a8241cdbda7015694c7e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10446 2668 bytes
font_09_sfnt_off00010fb8.bin
daf2e77c6490f2e6568c2cdb9af3da2b9645e7e35471032f75154b91d766661a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10FB8 7300 bytes
font_10_sfnt_off0001276a.bin
182fb8c0fb6f13f4ae29d33145670c90d4b17abcf663ebdb269fda139e52af1b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1276A 7496 bytes
font_11_sfnt_off00013be0.bin
b2ab437195f772a8b90a15aba483d4a670cfe81f9a396a5360906c84a1b6697e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13BE0 17120 bytes
font_13_sfnt_off00019c2d.bin
affca73ae43ffed6e8445b6ee543ce159aa05d5f14d4145d7de78fa7420b3fe5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19C2D 4520 bytes
font_14_sfnt_off0001aa97.bin
db41898688876093c202014ea80d2a98cf66dedf3a82aaeb48ebf31cbc0e8751		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AA97 6808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.