Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab6dfc1cda9bea48…

MALICIOUS

PDF

33.2 KB Created: 2020-08-04 00:44:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8c3bc8fe2b4c7b7486063593f1387ef1 SHA-1: 49386854cd06fcbc6d194e6d1a06fa2070b7c0bb SHA-256: ab6dfc1cda9bea483af6ce2a556148a81cbf9ca57817e1713d4b6f5e0aa9362d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many pointing to Shopify domains, but one critical link redirects to a known malicious domain. The document body text, though partially corrupted, includes the phrase 'Carranza 13th edition pdf download' and the malicious redirector URL, suggesting a lure to trick users into clicking the link. The primary malicious URL is a redirector that likely leads to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=carranza+13th+edition+pdf+download
    • http://files.mingateachers.com/uploads/1/3/0/8/130813998/2925129.pdf
    • http://files.mrmarinisclass.com/uploads/1/3/1/8/131871556/tubazuv-detagi-lokasozuje-buleworujipofem.pdf
    • http://files.efhsvolleyballboosterclub.org/uploads/1/3/1/4/131454040/toratusaw.pdf
    • https://cdn.shopify.com/s/files/1/0430/5597/2505/files/rezed.pdf
    • https://cdn.shopify.com/s/files/1/0437/7916/2263/files/nijewatosizinuviwasibexuz.pdf
    • https://cdn.shopify.com/s/files/1/0432/8577/4502/files/batman_beyond_complete_series_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/7089/7824/files/16765307449.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lekutaxawiwasutoxojopelor.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rasebiv.pdf
    • https://cdn.shopify.com/s/files/1/0432/5313/7576/files/96937141038.pdf
    • https://cdn.shopify.com/s/files/1/0432/3134/6856/files/94479284870.pdf
    • https://cdn.shopify.com/s/files/1/0430/8297/3346/files/astro_a50_software.pdf
    • https://cdn.shopify.com/s/files/1/0431/1223/5159/files/badelu.pdf
    • https://cdn.shopify.com/s/files/1/0433/2234/3577/files/79357892060.pdf
    • https://cdn.shopify.com/s/files/1/0427/9389/4044/files/32288504044.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/85450973079.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000045d2.bin
87d5cf83354257fd6e778b4b5c5456cb12a57459bb32a1a9b8f07a66b95595d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x45D2 5216 bytes
font_01_sfnt_off000057a8.bin
20f58bc59acb986b3d41043fa5f9072b04838d053143b749633e3e473da48b06		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57A8 8924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.