Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad299e1f5d19186a…

MALICIOUS

PDF

41.1 KB Created: 2020-08-24 02:19:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 89012529585d03d311f021be2b287da3 SHA-1: 1dc6c32d5f6126c65d52e7950e4f128b4d06bf51 SHA-256: ad299e1f5d19186a7a346a118d430ee3cd5db4287690f75af874d8139acb0f25
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with one pointing to a known malicious redirector infrastructure. The document body itself is heavily obfuscated and appears to be a lure, possibly related to search engine optimization (SEO) manipulation or to host further malicious content. The presence of numerous external PDF links suggests a link farm strategy, potentially to improve search engine rankings or distribute malware.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=cat+island+ms+fishing+reports
    • http://fuwil.soarohio.org/uploads/1/3/0/8/130874113/jabaxosotelibo-mavitudul-volagexijufor.pdf
    • http://files.jaimearon.com/uploads/1/3/2/3/132302859/danagitepuxevuguvi.pdf
    • http://risuvaz.dvasbo.org/uploads/1/3/2/7/132712253/kuxitejitadi_kolumenulawa.pdf
    • http://files.projectauntieskids.org/uploads/1/3/0/9/130969220/wuvozikizowu-tedexubekijup-mugetozavu-xufegodagazuvod.pdf
    • https://cdn.shopify.com/s/files/1/0433/5294/8901/files/85048499805.pdf
    • https://cdn.shopify.com/s/files/1/0428/6241/1935/files/timadaweputigiteludirenif.pdf
    • https://cdn.shopify.com/s/files/1/0431/6590/9160/files/vevisirofexagikiketi.pdf
    • https://cdn.shopify.com/s/files/1/0437/5393/0901/files/journaux_algerie_gratuit.pdf
    • https://cdn.shopify.com/s/files/1/0431/5847/0816/files/vefovi.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/80787326618.pdf
    • https://cdn.shopify.com/s/files/1/0431/6961/1930/files/58759798719.pdf
    • https://cdn.shopify.com/s/files/1/0434/0868/7269/files/xuwesibefuwopula.pdf
    • https://cdn.shopify.com/s/files/1/0430/7478/1338/files/business_law_10th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0436/4202/8182/files/all_in_one_toolbox_for_android.pdf
    • https://cdn.shopify.com/s/files/1/0432/4828/7904/files/69990542672.pdf
    • https://cdn.shopify.com/s/files/1/0430/5027/0869/files/tivolot.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000621a.bin
3b594372f78278414122ccfbf0d5f416ec5fa7921812a7512c0d8166db4e5f17		 pdf-font-stream PDF embedded font (sfnt) at offset 0x621A 5360 bytes
font_01_sfnt_off00007421.bin
3b01749fbea4304f58b4f48277f0749e6ba039153273963576f7771341a92969		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7421 10356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.