Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad6c88655c5329f9…

MALICIOUS

PDF

47.2 KB Created: 2020-08-20 09:46:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6f696b6020cc3d27a02c0b5778a6ea1c SHA-1: 8fc809c37457cf60bee9ebba068f89f74e6b6921 SHA-256: ad6c88655c5329f940bab534b047ccab02f48277731f57f0d9a2fafb0484ec56
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'Ty beanie baby value guide 2019' and the malicious URL, suggesting a lure. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' confirms the presence of a link to malicious infrastructure. The file was generated by wkhtmltopdf, a tool often used to create PDFs from web content, and contains a large number of external links, indicating a potential SEO poisoning or link farm tactic.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=ty+beanie+baby+value+guide+2019
    • http://zulepewi.houghathleticboosterclub.org/uploads/1/3/1/8/131856158/bdaec7d.pdf
    • http://files.learningsasia.com/uploads/1/3/0/9/130969389/3574405.pdf
    • https://cdn.shopify.com/s/files/1/0433/6913/6280/files/jabuxogudepunaz.pdf
    • https://cdn.shopify.com/s/files/1/0435/8311/1325/files/dofukeropaxe.pdf
    • https://cdn.shopify.com/s/files/1/0437/2794/5889/files/world_important_days_download.pdf
    • https://cdn.shopify.com/s/files/1/0440/2230/0822/files/calvinism_versus_arminianism.pdf
    • https://cdn.shopify.com/s/files/1/0462/6415/6314/files/15529303483.pdf
    • https://cdn.shopify.com/s/files/1/0427/9848/1564/files/vatojijilurufesixosejinek.pdf
    • https://cdn.shopify.com/s/files/1/0433/7297/0133/files/52408553586.pdf
    • https://cdn.shopify.com/s/files/1/0428/3770/4867/files/15198654305.pdf
    • https://cdn.shopify.com/s/files/1/0428/4982/9023/files/febewexovukaserolaki.pdf
    • https://cdn.shopify.com/s/files/1/0431/5509/5712/files/wojoguguwesurobilefeg.pdf
    • https://cdn.shopify.com/s/files/1/0432/1037/5325/files/25490050623.pdf
    • https://cdn.shopify.com/s/files/1/0427/7128/4135/files/eclipse_shortcuts_java.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000790e.bin
e7e2e2f219c75e77e32f1aa64329cc1b0da450f0b1f5a3b996ef5fcaecac93a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x790E 5452 bytes
font_01_sfnt_off00008bb9.bin
9afaad01fac607a527ba321a52b04174ab8d2da132e23a15bc0f1c0f81a8ad99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BB9 10524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.