Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc98554264c2d86e…

MALICIOUS

PDF

39.4 KB Created: 2020-08-27 14:28:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 96567943804986d12629ad2e3b2e2247 SHA-1: 32a7991ebbbe22d640dc83cac3dace61c4fda2c8 SHA-256: bc98554264c2d86e0840940fc3b6f0b7a63b02074071f457db99a112369180b0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a redirector service known to host malicious content. The document body, though partially corrupted, contains text related to 'Tipos de diseño industrial' and includes the primary malicious URL. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' confirms the presence of links to known malicious infrastructure, and 'PDF_SEO_LINK_FARM' indicates a pattern of mass external PDF link creation, suggesting a tactic to distribute malicious links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=tipos+de+dise%25C3%25B1o+industrial
    • http://zexipuz.jencolby.com/uploads/1/3/2/6/132695384/8191049.pdf
    • http://files.krismcg.com/uploads/1/3/1/4/131406800/mebekovejanelu.pdf
    • https://cdn.shopify.com/s/files/1/0435/8697/7949/files/8390734071.pdf
    • https://cdn.shopify.com/s/files/1/0430/1458/6521/files/25030689780.pdf
    • https://cdn.shopify.com/s/files/1/0434/3916/1500/files/parozone_bleach_safety_data_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0435/5093/3156/files/cetosis_en_vacas.pdf
    • https://cdn.shopify.com/s/files/1/0428/3393/6547/files/23728267772.pdf
    • https://cdn.shopify.com/s/files/1/0448/4051/7793/files/microsoft_az_103_dumps.pdf
    • https://cdn.shopify.com/s/files/1/0428/2122/2567/files/canon_printer_scanner_driver_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/8153/9483/files/93580764728.pdf
    • https://cdn.shopify.com/s/files/1/0431/3019/2039/files/7525653334.pdf
    • https://cdn.shopify.com/s/files/1/0432/9403/2040/files/14100294832.pdf
    • https://cdn.shopify.com/s/files/1/0431/6083/0116/files/30712985524.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005bb7.bin
67ac13bff16a2d79dbdd7823c4a3a77b174701b4e8eff03a4286cfd95deb643e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BB7 5112 bytes
font_01_sfnt_off00006cd5.bin
297d45783c6a9aeae9969ede5005d9dee9c5ae5984a593526170cfe1ef06973d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CD5 10564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.