Malicious PDF — malware analysis report

Static analysis result for SHA-256 c071f43329da1ad4…

MALICIOUS

PDF

42.7 KB Created: 2020-09-19 09:20:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f45d0854fb78146b4c20a62dc9689740 SHA-1: 6ff43793dee8aab13487165005435039af8c3f8e SHA-256: c071f43329da1ad4a6495e42e15c9c6a6e647e2852d54e4cb278aa5fd93e2773
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF file contains multiple embedded links that point to known malicious redirectors and link farms, indicating a phishing or redirection attempt. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' confirms that at least one URL leads to malicious infrastructure. The 'SE_CALLBACK_LURE' heuristic suggests a callback phishing or tech-support scam pattern, although no phone number was explicitly extracted. The document body, though heavily obfuscated, contains URLs that are also flagged by heuristics.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=99+construction+guide+osrs+ironman
    • http://zexojugi.artunlockedwithjessicatookey.com/uploads/1/3/2/8/132814946/8636357.pdf
    • http://xipufud.imaniyako.org/uploads/1/3/2/3/132302868/dipuve_bodoj_dakival_tutipiwiw.pdf
    • http://files.marinerswelfare.com/uploads/1/3/0/8/130813991/gupul.pdf
    • https://26657dd2-af2f-4f23-861a-2975b332ee36.filesusr.com/ugd/b52961_9c2b784241d14917bcba17eff3a060e7.pdf?index=true
    • https://fb9ba1af-579a-4dc1-ae0b-df86eaa97e11.filesusr.com/ugd/d38238_8421e8c92e1043d98de9a03e2c39874f.pdf?index=true
    • https://bd0bec8c-e1ec-4650-bf19-229dabd6d6b2.filesusr.com/ugd/8a4248_86a58b0171a14dae958999b2facac54e.pdf?index=true
    • https://4588b9b7-3a65-4d91-9b47-60baa773581b.filesusr.com/ugd/87fdc7_a55b008e98cd43199d7ac250e52d1449.pdf?index=true
    • https://ac29857a-bcf9-410e-8b0f-51a129f0b716.filesusr.com/ugd/278743_0878279f2b684cf9a96f1e983d233be6.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0433/9240/1566/files/94405041074.pdf
    • https://cdn.shopify.com/s/files/1/0435/7623/0051/files/44335881486.pdf
    • https://cdn.shopify.com/s/files/1/0432/2318/7616/files/tebutub.pdf
    • https://cdn.shopify.com/s/files/1/0433/5448/8990/files/tlcharger_un_dictionnaire_anglais_franais_gratuit.pdf
    • https://2def1cdb-7ffa-4617-b21c-1a3df41229d2.filesusr.com/ugd/b77b08_99b0801abafe4dcca3d1a5e1cec711d3.pdf?index=true
    • https://87686df3-7b89-412b-a57b-fe9732892055.filesusr.com/ugd/b48b60_2714bc69911b4991b836369b026b72b8.pdf?index=true
    • https://a0be4766-5eef-4e19-9de0-178304291ad7.filesusr.com/ugd/b8bbd7_83765ca1d603488bbdb4c3a185c26927.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068f9.bin
9b8c1907b2d3749426a173a736721a55e8dbbf18ebf5e8194f0e0377ef3792aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68F9 5288 bytes
font_01_sfnt_off00007ad4.bin
c6b07d1f6eb07406fc0ea7d4d73fa631706025d1acee5b1003e24bbe85590ef9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AD4 10496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.