Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd0733cff1f90236…

MALICIOUS

PDF

49.3 KB Created: 2020-08-28 06:09:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8823f6e63acaf434c11e972396d85a6c SHA-1: 0cbae5398c73cb2d41020b4e8cb2878d9e526124 SHA-256: bd0733cff1f902368ed230112848bdfbf28ab7308999135853a57a7e212f8887
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com. One of these links, https://ttraff.cc/pify?keyword=aztec+gary+jennings+quotes, is identified as a malicious redirector. The document body, though heavily obfuscated, appears to contain text related to 'Aztec gary jennings quotes', suggesting a lure to disguise the malicious intent. The primary attack pattern involves redirecting the user to malicious infrastructure via embedded links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=aztec+gary+jennings+quotes
    • http://files.pilatesbyalison.com/uploads/1/3/2/6/132681992/e0079.pdf
    • https://cdn.shopify.com/s/files/1/0463/3870/3521/files/69693468765.pdf
    • https://cdn.shopify.com/s/files/1/0427/4293/9814/files/xodawoguwutodajefipuzujo.pdf
    • https://cdn.shopify.com/s/files/1/0433/5265/3973/files/anorexia_y_bulimia_tratamiento.pdf
    • https://cdn.shopify.com/s/files/1/0434/5433/3093/files/fobubugafikore.pdf
    • https://cdn.shopify.com/s/files/1/0430/8385/8074/files/hindustan_unilever_limited_annual_report_2017-_18.pdf
    • https://cdn.shopify.com/s/files/1/0448/1341/8662/files/econometrics_by_example_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0437/7070/8125/files/nanakshahi_calendar_2020_download.pdf
    • https://cdn.shopify.com/s/files/1/0438/6082/0133/files/xugejekugoma.pdf
    • https://cdn.shopify.com/s/files/1/0434/1438/8888/files/20406830178.pdf
    • https://cdn.shopify.com/s/files/1/0429/7211/9193/files/14867776870.pdf
    • https://cdn.shopify.com/s/files/1/0430/6580/2905/files/rakerepemobajemojonabigew.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000082cb.bin
027bee71df371ebe09cd6af0ba29d2a63b7ebf668eb277ad490ff0d19e7e638c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82CB 5276 bytes
font_01_sfnt_off000094e4.bin
ab2987775c0c001bdf6c3ffdb3e8580cd3fc4344f0667fca6179c3fe10b179af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94E4 10436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.