Malicious PDF — malware analysis report

Static analysis result for SHA-256 bdf2d82669553a73…

MALICIOUS

PDF

56.7 KB Created: 2020-08-15 00:59:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b68ca9e9fb3289b9cc76c80e74749d5 SHA-1: 3c3789e415709c8c66adc7f09157d76e943e8ce8 SHA-256: bdf2d82669553a73a8d7b0c1bec55481817453660c7baf31834bd99f3a47bba7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to malicious infrastructure. Additionally, PDF_SEO_LINK_FARM suggests the document is part of a link farm, likely to improve search engine ranking for malicious content. The primary malicious IOC is the redirector URL, which is used to obscure the final destination. No scripts were extracted, limiting the analysis of direct payload delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=solid+angle+arnold+pdf
    • http://files.stpaulautomation.net/uploads/1/3/0/7/130739835/jigenajoribipixef.pdf
    • http://wadez.dawntrygstad.com/uploads/1/3/1/0/131070993/fezores-xotefixaz-pexekaxagazow-zizuxadape.pdf
    • http://files.cpwarchitects.com/uploads/1/3/2/3/132302711/9216688.pdf
    • https://cdn.shopify.com/s/files/1/0429/2768/5799/files/epic_emr_manual.pdf
    • https://cdn.shopify.com/s/files/1/0432/8249/7701/files/38080775272.pdf
    • https://cdn.shopify.com/s/files/1/0438/7930/1288/files/an_enthusiastic_gilled_blob_is_on_screen.pdf
    • https://cdn.shopify.com/s/files/1/0428/7568/2972/files/built_to_last_successful_habits_of_visionary_companies_summary.pdf
    • https://cdn.shopify.com/s/files/1/0435/2652/0987/files/american_english_file.pdf
    • https://cdn.shopify.com/s/files/1/0435/3346/7808/files/55808602626.pdf
    • https://cdn.shopify.com/s/files/1/0438/3201/7058/files/solar_energy_system.pdf
    • https://cdn.shopify.com/s/files/1/0430/1458/6521/files/farmacodermia_por_anticonvulsivantes.pdf
    • https://cdn.shopify.com/s/files/1/0428/6627/8556/files/nomanunawadokewimonubuxex.pdf
    • https://cdn.shopify.com/s/files/1/0429/5540/7511/files/nakeza.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a07e.bin
56419bb8d44f2a8029d0c9d7cdd0b5755f299bed80e727b9fb72703bbe8c34ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA07E 5132 bytes
font_01_sfnt_off0000b204.bin
61ce2e9bd7980994b7083a44b9490ff8de3948d13193ec92fc58830650f4cca3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB204 10640 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.