Malicious PDF — malware analysis report

Static analysis result for SHA-256 aea69629c8a43860…

MALICIOUS

PDF

40.3 KB Created: 2020-08-10 11:47:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 829925ba49688cefed8f3dc34db07619 SHA-1: 205a75bdac1034406f5e99e7bc36e31575423984 SHA-256: aea69629c8a43860205b5a285f2f3ed9a9d9dc6e492e282b39f2bce7e7815711
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link that redirects to a malicious domain, disguised as a document about 'awk and sed commands'. This is further supported by heuristics indicating a malicious redirector and a link farm, suggesting an attempt to drive traffic to malicious sites. The document body itself is heavily obfuscated but contains the malicious URL.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=awk+and+sed+commands+pdf
    • http://files.themooryouknow.com/uploads/1/3/0/7/130775639/5285967.pdf
    • http://files.regencycommunities.com/uploads/1/3/1/3/131384281/jafudesibotemaxopov.pdf
    • http://xegazafes.southcallawayfootball.com/uploads/1/3/0/7/130776265/badonevagitum.pdf
    • https://cdn.shopify.com/s/files/1/0431/4575/6821/files/66283753453.pdf
    • https://cdn.shopify.com/s/files/1/0429/1490/6279/files/google_dork_filetype_vs_ext.pdf
    • https://cdn.shopify.com/s/files/1/0437/3463/0549/files/53976278623.pdf
    • https://cdn.shopify.com/s/files/1/0434/1560/1304/files/demopijezaguvifur.pdf
    • https://cdn.shopify.com/s/files/1/0431/4651/0504/files/92596707785.pdf
    • https://cdn.shopify.com/s/files/1/0434/5495/5672/files/rofarovofejujivemigapel.pdf
    • https://cdn.shopify.com/s/files/1/0429/4973/8650/files/8153574240.pdf
    • https://cdn.shopify.com/s/files/1/0437/5547/1006/files/33417633271.pdf
    • https://cdn.shopify.com/s/files/1/0431/0571/4338/files/ruponido.pdf
    • https://cdn.shopify.com/s/files/1/0431/8406/2622/files/97812900155.pdf
    • https://cdn.shopify.com/s/files/1/0435/7606/6207/files/tuxemasemonaneke.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fdf.bin
997cf7ca2b9a2a87299456505d6efd47c4727ff1ddd2c856ecdca472ac4973b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FDF 5316 bytes
font_01_sfnt_off00007205.bin
ee04608acdb720bee192dd0b3207372874be33e199b732ae7665b742b60d5c15		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7205 10060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.