Malicious PDF — malware analysis report

Static analysis result for SHA-256 b19d3c4a432244ca…

MALICIOUS

PDF

37.1 KB Created: 2020-08-24 22:17:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0e0601c7fa2a3eb1a4380aa94b95f0a5 SHA-1: 8b49b34f4d4b9b7751858a4e6963502e479aaa32 SHA-256: b19d3c4a432244ca408b7fe3fcbff9d4a667d697a8b4631e84e1e0209a2b7010
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to a URL that promises live sports content. This URL is likely part of a phishing or scam campaign designed to trick users into visiting malicious infrastructure. The document also contains a large number of embedded links, many of which point to benign Shopify domains, but the presence of the malicious redirector is the primary indicator of compromise. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=watch+bleacher+report+live+on+ps4
    • http://ropab.crankinblackbox.com/uploads/1/3/0/8/130814328/2746b44f7a56.pdf
    • http://vabosof.cruisesceptic.com/uploads/1/3/1/3/131380485/bukuzabu-gezavinubob.pdf
    • https://cdn.shopify.com/s/files/1/0440/3268/8293/files/brgschaft_eltern.pdf
    • https://cdn.shopify.com/s/files/1/0433/4885/2904/files/glow_dust_oblivion.pdf
    • https://cdn.shopify.com/s/files/1/0432/1384/8733/files/97756703668.pdf
    • https://cdn.shopify.com/s/files/1/0431/6862/8892/files/kojazatogax.pdf
    • https://cdn.shopify.com/s/files/1/0436/9491/5738/files/13427780888.pdf
    • https://cdn.shopify.com/s/files/1/0437/8794/4096/files/biviwufiwaxopufax.pdf
    • https://cdn.shopify.com/s/files/1/0430/4479/8613/files/9099473121.pdf
    • https://cdn.shopify.com/s/files/1/0430/5492/3925/files/nightbot_counter_command.pdf
    • https://cdn.shopify.com/s/files/1/0427/8855/2870/files/montana_state_abbreviation.pdf
    • https://cdn.shopify.com/s/files/1/0431/4460/9943/files/tilitilepo.pdf
    • https://cdn.shopify.com/s/files/1/0431/3825/2954/files/dolafanujunatirazoz.pdf
    • https://cdn.shopify.com/s/files/1/0434/9489/9864/files/dufoledumaro.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000523a.bin
acbbb9e136b07dbc1824f94de881d1785be0dac7b3316765d58944c9c55844f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x523A 5324 bytes
font_01_sfnt_off0000645b.bin
0463e5794526ebcc462542c1c0751cb2e8b5ca737395a375710b26eb6b78276a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x645B 10316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.