Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac8cdde0e3bc7a6a…

MALICIOUS

PDF

39.3 KB Created: 2020-08-06 10:44:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 46a2eaa3fd3a159b1908f6963f68b8e3 SHA-1: e0aa45c1112d4cce615329f3159bb6b66c5c349d SHA-256: ac8cdde0e3bc7a6ad4fa782a8907c635e5e71edd69b11a2b794daac99cf70c10
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link that redirects to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though partially corrupted, suggests a lure related to a 'bank appointment letter format'. The PDF also hosts a large number of external links, many pointing to Shopify domains, which is characteristic of SEO-based link farms used to distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bank+appointment+letter+format+pdf
    • http://files.hecklerancestry.com/uploads/1/3/2/7/132740327/4967143.pdf
    • http://files.thewedgeshop.com/uploads/1/3/2/6/132682048/josawasikagide.pdf
    • http://rebuxuvot.mfcocksart.com/uploads/1/3/1/3/131379732/talusu_paziwulibesegop.pdf
    • https://cdn.shopify.com/s/files/1/0433/9872/5793/files/87504941269.pdf
    • https://cdn.shopify.com/s/files/1/0431/5355/5624/files/suxolurojalevu.pdf
    • https://cdn.shopify.com/s/files/1/0433/2670/1723/files/34525888226.pdf
    • https://cdn.shopify.com/s/files/1/0433/2158/9913/files/19062885099.pdf
    • https://cdn.shopify.com/s/files/1/0431/1141/5965/files/8645882321.pdf
    • https://cdn.shopify.com/s/files/1/0427/6381/3020/files/89135405560.pdf
    • https://cdn.shopify.com/s/files/1/0431/7007/0687/files/free_johnson_service_manual.pdf
    • https://cdn.shopify.com/s/files/1/0437/0454/9531/files/what_is_closure_in_javascript.pdf
    • https://cdn.shopify.com/s/files/1/0432/7482/9987/files/mogaparuvum.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d65.bin
c1803faa7ad05fac03c1ab93c7e406048391ee2a09821295351f1eda4fd46a53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D65 5124 bytes
font_01_sfnt_off00006ebf.bin
abc8aec0f653bae84d3aaacc8ee97d1ea96c83d4207b8256e03f6220f53aff55		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EBF 9968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.