Malicious PDF — malware analysis report

Static analysis result for SHA-256 b132b3196499e0ef…

MALICIOUS

PDF

65.1 KB Created: 2020-08-15 00:55:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4bf801283cb7c57ad779c0e7ea4deeba SHA-1: 8353c107e75a857887e3348ab9372470cc824783 SHA-256: b132b3196499e0ef296b01571318568133a2e68888e55f5f3ab27ef3fe43fb87
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic indicating it links to a malicious redirector, specifically 'https://ttraff.cc/pify?keyword=camshaft+position+sensor+function+pdf'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, with 'https://cdn.shopify.com/s/files/1/0431/0899/1125/files/giremelese.pdf' being the first identified. The document body, though heavily obfuscated, contains the same URL as the redirector, suggesting the document's primary purpose is to drive traffic to this malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=camshaft+position+sensor+function+pdf
    • http://files.reviveandrestore.net/uploads/1/3/0/7/130739081/fobetizi-saxinum-xepigeku-guzurixada.pdf
    • http://lebege.tim-mcdonald.com/uploads/1/3/1/4/131453284/jiguroxafemokad_xesozafonokinuv.pdf
    • http://files.sarasautismsite.com/uploads/1/3/1/8/131858287/kinevegopifere_gevomoto_vagefozo.pdf
    • https://cdn.shopify.com/s/files/1/0431/0899/1125/files/giremelese.pdf
    • https://cdn.shopify.com/s/files/1/0432/2770/9597/files/emotions_and_feelings_worksheets.pdf
    • https://cdn.shopify.com/s/files/1/0436/5287/4390/files/13153258130.pdf
    • https://cdn.shopify.com/s/files/1/0432/7673/0533/files/boxokodubowuvote.pdf
    • https://cdn.shopify.com/s/files/1/0431/9507/2674/files/black_eye_emoji.pdf
    • https://cdn.shopify.com/s/files/1/0438/2323/5232/files/lusuniputudutez.pdf
    • https://cdn.shopify.com/s/files/1/0443/1613/1484/files/xonagezegoxetufalokulavev.pdf
    • https://cdn.shopify.com/s/files/1/0428/5667/7543/files/econometrics_exam_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/27039997465.pdf
    • https://cdn.shopify.com/s/files/1/0428/2476/1510/files/pudipaviz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c264.bin
d219a98890adc85f79aa7e386f390adf15c7ecf01fb8055564760f8844d788e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC264 5268 bytes
font_01_sfnt_off0000d42a.bin
964c877aec11e95c514b98094c7cc81cd5bfa21e725437f7de2c8c2f75922fda		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD42A 10264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.