Malicious PDF — malware analysis report

Static analysis result for SHA-256 aec5b285f4793d4e…

MALICIOUS

PDF

56.5 KB Created: 2020-08-08 09:12:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7d7ea2ea709ce6f4c76ce231f1985796 SHA-1: 125cf36117a19b66528ac8a7e72181ee94fa6a17 SHA-256: aec5b285f4793d4e5028b50cc9ace68fc3f15c054d10bb9e8115f8a806f6225e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to a URL designed to lure users. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary lure. The presence of numerous other PDF links, many hosted on Shopify, indicates a potential link farm or SEO poisoning tactic to distribute the malicious document. No scripts were extracted, limiting the analysis of further payload delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=affidavit%20of%20adverse%20possession%20texas%20pdf
    • http://files.clairesadler.co.nz/uploads/1/3/1/3/131383650/848d72.pdf
    • http://zisad.adventuresoflittle.ca/uploads/1/3/0/8/130814788/kekalil_tefasadozizir_zowuwoj_weranazurafegus.pdf
    • http://files.gingertomjasonhutton.com/uploads/1/3/2/8/132816165/7216322.pdf
    • http://mitotopor.phenixsalonwestdenver.com/uploads/1/3/1/0/131070767/d9fbc580d1917a.pdf
    • https://cdn.shopify.com/s/files/1/0432/7673/0533/files/icy_veins_warlock_leveling.pdf
    • https://cdn.shopify.com/s/files/1/0430/8323/5489/files/23555314069.pdf
    • https://cdn.shopify.com/s/files/1/0431/6073/1808/files/gikevor.pdf
    • https://cdn.shopify.com/s/files/1/0431/6997/2392/files/24934559148.pdf
    • https://cdn.shopify.com/s/files/1/0428/8475/9711/files/ad_hoc_wireless_networks_textbook.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/miveguxuxububepevomozit.pdf
    • https://cdn.shopify.com/s/files/1/0428/9455/7350/files/69058145893.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gamusuzojikifikukudubug.pdf
    • https://cdn.shopify.com/s/files/1/0427/7298/8071/files/97285843084.pdf
    • https://cdn.shopify.com/s/files/1/0433/9322/0758/files/guranolozexote.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a062.bin
1d35e8fcda31b5a4b201e12f10d221cb4a0c8bbeaf1dc087a3798c5f749faae8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA062 5120 bytes
font_01_sfnt_off0000b1ee.bin
4e2ab120e7796c07b95192e610bc0d8981aa483ea7da410fc480efa3fe6fbf2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB1EE 10320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.