Malicious PDF — malware analysis report

Static analysis result for SHA-256 b57c490d3986af7a…

MALICIOUS

PDF

43.1 KB Created: 2020-08-07 13:51:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 65947a6954c7c8d167096e929bb6c117 SHA-1: b9c0fa96840fa4d67fb9b7651e1af4ce16dfd8c9 SHA-256: b57c490d3986af7a9f0d89ae157336ca1ac4ca5dc9e69a3d028ddda423e954e4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with a critical heuristic firing indicating a link farm. One of the primary links directs to a known malicious redirector, suggesting the document's purpose is to lure users to malicious infrastructure. The document body itself is heavily obfuscated and contains embedded URLs, further supporting the malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=adverb+clause+of+comparison+pdf
    • http://files.martigraceashby.com/uploads/1/3/1/8/131856567/1aa8fd0e.pdf
    • http://tereza.coloradogamewornhockey.com/uploads/1/3/0/8/130874359/bfeea47ca389bb3.pdf
    • http://files.johnhayley.com/uploads/1/3/0/8/130874361/bf1e7c28d4ca9f5.pdf
    • https://cdn.shopify.com/s/files/1/0433/6245/1611/files/the_dark_side_of_the_light_chasers_download.pdf
    • https://cdn.shopify.com/s/files/1/0434/7235/5478/files/zaxixumepodazikopozu.pdf
    • https://cdn.shopify.com/s/files/1/0431/3061/8011/files/36165325046.pdf
    • https://cdn.shopify.com/s/files/1/0431/2226/2178/files/50792814317.pdf
    • https://cdn.shopify.com/s/files/1/0432/0916/2907/files/55450728487.pdf
    • https://cdn.shopify.com/s/files/1/0433/8260/3927/files/61951555947.pdf
    • https://cdn.shopify.com/s/files/1/0430/5109/0077/files/advantages_and_disadvantages_of_action_research_design.pdf
    • https://cdn.shopify.com/s/files/1/0431/8117/9037/files/8864365666.pdf
    • https://cdn.shopify.com/s/files/1/0433/1143/1838/files/assets_liabilities_and_equity.pdf
    • https://cdn.shopify.com/s/files/1/0430/3529/5905/files/kaparufadovomepe.pdf
    • https://cdn.shopify.com/s/files/1/0431/7950/7872/files/fagax.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c10.bin
a6352afd977a2bf98fe6e36173bb3527f586426b2c5e69777d45edf98aeced66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C10 5488 bytes
font_01_sfnt_off00006e9d.bin
d8e4b7f44dfb66ea49c7f1cefd345a391fade3fb548cc17de4cdbf151663dabd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E9D 6068 bytes
font_02_sfnt_off00007e4d.bin
802593f0361e69a172865e9599ebc02852ac97345a699ce39bc9b0a387698f9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E4D 9684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.