Malicious PDF — malware analysis report

Static analysis result for SHA-256 a63ae54dbc79d674…

MALICIOUS

PDF

39.8 KB Created: 2020-08-18 15:18:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8fa0a2f51e3908b71e28efe195622867 SHA-1: c52d3a248cffc52111dc6860c85ee4b4b6e33b2d SHA-256: a63ae54dbc79d67403f09d2044b65dd50b749542595b2e30232703dc75289a3f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with a primary link directing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to email signatures and includes the malicious URL. The heuristic firings indicate the PDF is acting as a redirector and a link farm, designed to send users to external, potentially harmful, content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=best+email+signature+templates
    • http://files.pokeberryexchange.com/uploads/1/3/1/4/131482952/basukifovopopozol.pdf
    • http://jefik.bethelbiblecamp.org/uploads/1/3/0/8/130813528/8ce6353d76.pdf
    • http://files.thewaveindustries.com/uploads/1/3/1/4/131413837/a1b902b2.pdf
    • http://files.leaderproject.com/uploads/1/3/0/7/130740517/riwamuradovabud-jepusikabo-xagelapavapa.pdf
    • http://files.printyprintyprincess.com/uploads/1/3/1/4/131437873/7186118.pdf
    • https://cdn.shopify.com/s/files/1/0439/0433/6027/files/best_calligraphy_fonts.pdf
    • https://cdn.shopify.com/s/files/1/0430/7091/4717/files/mafibuwurix.pdf
    • https://cdn.shopify.com/s/files/1/0433/4062/8133/files/fish_counts_southern_california.pdf
    • https://cdn.shopify.com/s/files/1/0434/2562/8316/files/befufi.pdf
    • https://cdn.shopify.com/s/files/1/0437/6618/6135/files/arere_avala_naguvu_audio_song.pdf
    • https://cdn.shopify.com/s/files/1/0435/5365/2895/files/water_supply_and_sanitary_engineering_notes.pdf
    • https://cdn.shopify.com/s/files/1/0428/5058/2684/files/el_libro_rojo_carl_jung_descargar.pdf
    • https://cdn.shopify.com/s/files/1/0432/8508/6374/files/harry_potter_and_the_goblet_of_fire_book_bloomsbury.pdf
    • https://cdn.shopify.com/s/files/1/0429/2381/9175/files/88152872673.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f44.bin
220791029597d48542277866ef34f8620f2e9b311967d949f5a3fd91a73132d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F44 5188 bytes
font_01_sfnt_off000070cd.bin
d0e9bfab1c8ebb38d100d7ced6cf885f21763464e24d24b15a0f733d76c94b3a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70CD 9972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.