Malicious PDF — malware analysis report

Static analysis result for SHA-256 a964c0e52e70b1ee…

MALICIOUS

PDF

46.8 KB Created: 2020-08-08 21:27:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 57605be4cd2d203b55a41cfb5ea4a316 SHA-1: 0680a1dec66ef8d1af4a240caff2961d481ea815 SHA-256: a964c0e52e70b1eefb0186f1e4e5e3f4bee44556100dcdf922684ee71632911d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with a critical heuristic firing for a malicious redirector link. The document body, though heavily obfuscated, contains the malicious URL. This indicates the PDF's primary purpose is to redirect the user to malicious infrastructure, likely for further exploitation or phishing. The presence of numerous shopify.com links suggests an attempt to blend in with legitimate content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=feiertage+aargau+2020+pdf
    • http://files.kristindraws.com/uploads/1/3/0/9/130969190/195c170.pdf
    • http://files.johnnylayne.com/uploads/1/3/1/1/131164081/girizekelaz-vudifaguka-fugaduwave-naxaponop.pdf
    • http://files.madebyloulou.net/uploads/1/3/1/8/131871891/59bfb6ba928ffb6.pdf
    • https://cdn.shopify.com/s/files/1/0441/1247/8360/files/kanopig.pdf
    • https://cdn.shopify.com/s/files/1/0430/6593/3985/files/30196563220.pdf
    • https://cdn.shopify.com/s/files/1/0431/8950/2110/files/clinical_chemistry_bishop_6th_edition_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0437/8135/7725/files/pdf_page_splitter.pdf
    • https://cdn.shopify.com/s/files/1/0434/6878/3782/files/pakuxoramixeret.pdf
    • https://cdn.shopify.com/s/files/1/0434/1746/9080/files/jukonakoxi.pdf
    • https://cdn.shopify.com/s/files/1/0440/9635/6504/files/87028902046.pdf
    • https://cdn.shopify.com/s/files/1/0433/2797/9678/files/crossed_eyes_meme.pdf
    • https://cdn.shopify.com/s/files/1/0437/3495/8229/files/annotate_in_ibooks.pdf
    • https://cdn.shopify.com/s/files/1/0429/8178/5753/files/66169736881.pdf
    • https://cdn.shopify.com/s/files/1/0433/2149/1621/files/13082527243.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006fc3.bin
c6cc971005718b5742f88c365a25a040f3223a4c704353c6b02333b56dd58504		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FC3 5228 bytes
font_01_sfnt_off000081a1.bin
35530daea85b053cd07714cb1f4ce5055b0c5c3ce15df56b029502ca9b716123		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81A1 14188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.