Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6d34e83af7143f0…

MALICIOUS

PDF

41.2 KB Created: 2020-08-31 10:40:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7d2dff8e10a776532bb0c046c09c943e SHA-1: d00b5beafe6428734a1047f7e6c3da0c12fa2cbd SHA-256: a6d34e83af7143f01a90b3e4b1fcb74ad3d8bb50ae95de249c3858e89c1b4cd1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to a 'Daikin vrv iii service manual' and the URL itself contains a keyword suggesting a lure. This indicates a likely phishing or malware distribution attempt using a seemingly legitimate document to trick users into clicking malicious links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=daikin+vrv+iii+service+manual
    • https://cdn.shopify.com/s/files/1/0434/0042/9731/files/6196862476.pdf
    • https://cdn.shopify.com/s/files/1/0434/1855/0430/files/pisalugobokuko.pdf
    • https://cdn.shopify.com/s/files/1/0429/2309/8279/files/twitter_mute_list.pdf
    • https://cdn.shopify.com/s/files/1/0437/2761/8209/files/23672055401.pdf
    • https://cdn.shopify.com/s/files/1/0432/5507/0880/files/saitek_x55_drivers.pdf
    • https://cdn.shopify.com/s/files/1/0435/6282/7935/files/nujakex.pdf
    • https://cdn.shopify.com/s/files/1/0434/5282/5767/files/nisiranegemagojowupe.pdf
    • https://cdn.shopify.com/s/files/1/0437/9276/0994/files/xedukikezoluxitajir.pdf
    • https://static.usrfiles.com/ugd/b0b521_d64e7fb1b00447778957c448c7925136.pdf
    • https://static.usrfiles.com/ugd/eb5a6a_2355483268f24a6784b30b35e76a97b8.pdf
    • https://static.usrfiles.com/ugd/1e4819_7610ac268fdf4929b25d9deecd34e0ff.pdf
    • https://static.usrfiles.com/ugd/b8c837_b72b27a34f524b0f8a4beff5cfb824de.pdf
    • https://static.usrfiles.com/ugd/edb4a7_eeb9dce16cc44e4aa1a0f25359257db3.pdf
    • https://cdn.shopify.com/s/files/1/0430/3051/1779/files/38256670519.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/beloromawodosuxaso.pdf
    • https://cdn.shopify.com/s/files/1/0436/3495/0304/files/16922655159.pdf
    • https://cdn.shopify.com/s/files/1/0435/8553/6161/files/winrar_free_english_version.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064c8.bin
1e8d7a46dd9971e226cb0b06ccca74d311b1d7e4be94f3247c71f254ba25178d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64C8 5068 bytes
font_01_sfnt_off000075f6.bin
6745bde48f229e1790f319365f65915074f33b3c6b843032ea5cdd2ea815c3e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75F6 9920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.