Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb5d9e8c1409448d…

MALICIOUS

PDF

44.6 KB Created: 2020-08-22 18:48:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4d95b38d0141f9f75dc9743f5c5196ad SHA-1: 919fca332db82c4cf714fbb4234b6f583a2e48b6 SHA-256: bb5d9e8c1409448da0326592e3c1534b446f46104bfb549fc3a96b26f260d24c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text suggesting an educational context ('benim hocam türkçe pdf 2019'), likely intended as a lure. The heuristic firings indicate the PDF is designed as a link farm and redirects to malicious infrastructure, aiming to deliver a payload.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=benim+hocam+t%25C3%25BCrk%25C3%25A7e+pdf+2019
    • http://jomurixo.jasonleetenor.com/uploads/1/3/0/7/130739430/4940216.pdf
    • http://files.aromashoppe.com/uploads/1/3/1/4/131406985/xuwejetukux.pdf
    • https://cdn.shopify.com/s/files/1/0433/2371/9845/files/roxuxewosumejunadafisaxe.pdf
    • https://cdn.shopify.com/s/files/1/0433/7329/7822/files/25081587435.pdf
    • https://cdn.shopify.com/s/files/1/0428/3901/5580/files/77912040700.pdf
    • https://cdn.shopify.com/s/files/1/0438/1887/7085/files/formlabs_castable_wax_burnout.pdf
    • https://cdn.shopify.com/s/files/1/0433/3669/5959/files/past_simple_and_past_continuous_worksheets_with_answers.pdf
    • https://cdn.shopify.com/s/files/1/0433/6893/9672/files/rewedebi.pdf
    • https://cdn.shopify.com/s/files/1/0433/7929/4358/files/haeli_noelle_wey.pdf
    • https://cdn.shopify.com/s/files/1/0436/5287/4390/files/quenching_medium.pdf
    • https://cdn.shopify.com/s/files/1/0427/9622/0572/files/36847138848.pdf
    • https://cdn.shopify.com/s/files/1/0432/1381/5966/files/48430133075.pdf
    • https://cdn.shopify.com/s/files/1/0433/5294/8901/files/employee_biographical_data_sheet_end.pdf
    • https://cdn.shopify.com/s/files/1/0431/9982/4032/files/datokozakumukalafoxuvek.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006a39.bin
5b9b8d49f90f328a9850e7cc5e99f1795d4b3c38d141e425d306a98362f1d183		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A39 6080 bytes
font_01_sfnt_off00007e43.bin
5a58a31e1b7db463163518909e5c685fcfce9f33805993d18708f2e1da4e836e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E43 12080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.